logo
 
 

Master Members Only V3

USER MANUAL

 


TABLE
OF
CONTENTS
 



Installation

See the MMO_Installation.html file for installation instructions. It was downloaded with the software package.

 



Deciding how to use Master Members Only V3

Master Members Only V3 was originally designed to provide a secure membership area without the need for .htaccess and with cookies optional.

It utilizes a secret directory (which is never seen in the browser's address bar) for the membership pages. The software monitors all requests for membership pages and delivers them to the browser as appropriate.

The original secret directory method can have hidden file download links. However, it is not optimum for linking to movies or other files that must be protected from access by the public. Therefore, two more methods were developed.

Master Members Only V3 now supports all of the following methods:

  1. The original secret directory method. In this document, this is referred to as the "Secret Directory Method."

  2. A protect entire directories method.

    This method uses both the .htaccess file and cookies. A cookie is set when a member logs into the membership area. That cookie is required by the directory's .htaccess file in order to view pages or see movies or otherwise access files. In this document, this is referred to as the "Any Directory Method."

    Any number of directories may be protected with the Any Directory Method.

  3. A protect individual pages method.

    This method uses PHP pages and cookies. A cookie is set when a member logs into the membership area. That cookie is required by the PHP web page before the page will be displayed in the browser. In this document, this is referred to as the "Any Page Method."

    Any number of pages may be protected with the Any Page Method.

The current version of Master Members Only V3 can handle any or all of the above methods.

Implement one method now, the one most likely to serve your requirements. Other methods may be implemented afterward.

 



The Control Panel

{top}

The Control Panel has [?] help links to guide you in it's use. The [?] links require JavaScript and spawn a popup window. If you have any browser add-ons that automatically close popup windows, they may need to be turned off before the [?] help links will work.

Unless it was done during installation, when you first type the URL of admin.cgi into your browser, you will be asked to provide a password. What you type here will be your password for future access to the Control Panel.

Here is a short synopsis of each of the Control Panel's main functions:

  1. Configuration

    1. Email Settings: Specify the name and email address to be used in outgoing email headers. Also, the location of sendmail is specified here.

    2. "Password Sharing" Fraud Possibility Notifications: Specify what password sharing fraud possibilities you want to be notified of and how sensitive the notifications shall be. Also specify the subject line your email notifications shall have.

    3. Record Changed Notifications: If you want to be notified whenever a member record is changed, specify the subject line your email notifications shall have.

    4. New Sign-Up Notifications:

      1. Webmaster Notification — If you want to be notified whenever a member record is changed, specify the subject line your email notifications shall have.

      2. Member Notification — If you want to notify the member whenever the member's record is changed, specify both the subject line and the body content the member's email notifications shall have. Placeholders may be used (see Personalizing Member Email In Control Panel and In Original Secret Directory Method Member Pages).

    5. Lost Password Emails: Specify both the subject line and the body content the member's "lost password" emails shall have. Placeholders may be used (see Personalizing Member Email In Control Panel and In Original Secret Directory Method Member Pages).

    6. Cookie Use Settings: Specify whether or not you will be using cookies and, if yes, how long the cookies are to remain in the member's browser.

      If you are using the Any Directory Method or Any Page Method, this must be set to "Yes" for proper cookie handling.

    7. Log Off Time Periods: Specify when member's are automatically logged off (subordinate to the cookie setting) and how much time should elapse before your, yourself, are automatically logged off the Control Panel (for security in case you walk away from your computer).

    8. Member Area Settings: A directory path, a URL, and some file names are specified here. These are required for Master Members Only V3 to function correctly.

    9. Optional Member Area Settings: You may specify log-in and password retrieval forms and acknowledgment page here. If not specified, Master Members Only V3 will utilize default pages.

    10. File Downloads: If you are offering file downloads, specify the directory location where the downloadable files are located. The directory location can be anywhere on your server.

      The downloadable files directory location is not disclosed when the file is being downloaded. Still, if it may be possible to guess the location and protection from illicit downloads is a high consideration, the directory with the downloadable files can be somewhere in the cgi-bin or in a directory that is password protected, somewhere public browsers can't access.

      This downloadable files feature is available only when using the Secret Directory Method.

    11. Preferred Date Format: Make choices about how you want dates displayed.

  2. Member Records

    1. View/Edit/Delete Members: Retrieve reports specific member records or a range of records (including the entire database). The reports can be as text, HTML, or form (for editing). You can select which fields you want included in the reports

    2. Manually Add Members: Add member records manually.

    3. Import Members: Import members from flat file databases like the tab- and comma-delimited files created with the "File|Export" feature of popular databases. You can also import databases with other delimiters, like those that may be created with Perl CGI programs. The database you're importing can have more fields than Master Members Only V3, and it can have less fields. Numerous imported date formats (for expiration date, etc.) are supported.

      Note: Please do a backup of Master Members Only V3 database files before importing databases. If something happens during the import, you'll have something to restore from. (The "Backup Data" and "Data Restoration" buttons on the main page of the control panel can be used for this purpose.)

    4. Send Email To Entire Membership: If you want to send an email to the entire membership, click this button. Placeholders may be used (see Personalizing Member Email In Control Panel and In Original Secret Directory Method Member Pages).

    5. Authorization Code for External Program to Automatically Add Members: If you allow external programs to automatically add records to the Master Members Only V3 databases, the external programs must know the authorization code you specify here.

  3. Expiration Handling

    1. Grace Period: When a membership expires, how many days grace are you giving?

    2. Advance Notice: Specify how many days before the membership expires that an email notice shall be sent. Provide the from name and address, the subject line, and the email body. Placeholders may be used (see Personalizing Member Email In Control Panel and In Original Secret Directory Method Member Pages).

  4. User Log Reports

    You can graph page popularity, graph member's number of page views, and display a report concerning every page a specific member has viewed. Graph bar color and maximum length can be specified. Specify the beginning and ending dates for the graphs and report.

  5. Backup Data

    1. Schedule Automatic Backups: You can specify that a backup is automatically done every so many number of days. And you can specify how long to keep the backup files.

    2. Unscheduled Backup: An Unscheduled Backup is actually a backup you do manually by clicking the button.

  6. Data Restoration

    If you need to restore the membership database or the access database, select one from the available scheduled or unscheduled backups. Then click the button to restore the databases from the selected backups.

    Restoring a database restores it to the way it was when it was backed up. Any changes that had been made after that backup point are lost when the database is restored.

 



Original Secret Directory Method

{top}

The original directory method:

  1. Delivers pages to the browser without revealing the page location. Pages are located in a secret directory.

  2. Can provide file download links without revealing the server location of the file.

  3. Can provide the means for members to change their member record (name, email, password, but not username).

  4. Does not require an .htaccess file.

  5. Cookies are optional.

The member pages are located in a secret directory.

The secret directory is for your Members Only pages — only the web pages, not image, sound, external style sheet, SSI, or external JavaScript files. Preferably, the secret directory is not accessible by browser to prevent access even if the location is guessed, but that restriction is not absolutely necessary. When a directory is not accessible by browser, typing it's URL into your browser results in an error message.

Here are several suggestions where you might put your secret directory, with the most secure listed first.

  1. If your server allows you to upload files into directories behind the public documents directory (the public documents directory is where your domain's default index.html page is at):

    1. Create a directory somewhere behind the public documents directory.

    2. Name it something that makes sense to you.

    3. Make a note of the server directory path to your new secret directory.

  2. If your cgi-bin directory will allow only CGI programs to be accessed by browsers, no HTML files (to test, upload a page into your cgi-bin directory and type its URL into your browser):

    1. Create a directory somewhere in your cgi-bin directory.

    2. Name it something that makes sense to you.

    3. Make a note of the server directory path to your new secret directory.

  3. If you do not have access to directories below your public documents directory and your cgi-bin directory allows browsers to access HTML pages:

    1. Decide upon a secret directory name that is unlikely to be guessed. If it's guessable then it's accessible. You may even want to bury the secret directory several subdirectories deep, each with names unlikely to be guessed. Example:

      x23OPr_t |
               | h0O23d |
                        | YmtrcwQb
      

      (In the example, you would put a blank web page named index.htm or index.html in each of the first two directories after the directories have been created. That will prevent anyone from obtaining a directory listing in their browsers and seeing what the next directory name is.)

    2. Create that directory (and possibly also subdirectories) somewhere in your cgi-bin directory.

    3. Make a note of the server directory path to your new secret directory.

The reason for noting the server directory path (or URL, in the last situation) is because Master Members Only V3 will require that information to be entered into its Control Panel.

      Developing the Members Only area pages

Use a separate directory when developing your Members Only pages.

Use this development directory during your development stage to make the creation of your Members Only pages faster and easier. If you prefer, you can develop your pages on your computer instead of in a development directory on your server. Do what is easiest for you.

The primary thing to remember when developing your Members Only pages is that all link URLs (href="___" and src="___") must be complete http://... URLs.

Here are other considerations:

External style sheets If you use external style sheets for your members area pages, specify the complete http://... URLs to the files.
Forms The action="___" must be a complete http://... URL.
External JavaScript files If you import external JavaScript files, specify the complete http://... URLs to the files.
Server Side Includes (SSI) You may use <!--#include file="___" -->, <!--#include virtual="___" -->, and <!--#exec cgi="___" --> SSI calls.

Because of SSI requirements, you must use relative URLs while your pages are in development. However, before uploading the pages to your secret directory, the SSI relative URLs must be replaced with complete http://... URLs to the files/programs.

After the pages are working to your satisfaction, they are modified in special ways and moved to the secret directory.

      Preparing pages for the secret directory

Here are the steps for making the members pages in your development directory ready for the secret directory.

  1. Verify that all href="___", src="___", and action="___" URLs specify complete http://... URLs. This includes URLs related to forms, images, sounds, external style sheets, and external JavaScript files. If in doubt, make it a complete URL.

  2. If your pages use SSI, change the relative URLs to complete http://... URLs.

  3. Replace href="___" URLs that link to other Members Only web pages with a special code. Links to pages in non-member directories and links to other sites on the Internet should not be changed, only links to web pages within the secret directory.

    The link URL format for linking to web pages within the secret directory is [[PAGE:_____]] where _____ is replaced with the file name of the page being linked to.

    For example, if your link is href="http://example.com/secret/terms.html" then change it to href="[[PAGE:terms.html]]"

    If you have Members Only web pages in subdirectories of the secret directory, then the file name must include the name of the subdirectory. For example, if your link is href="http://example.com/secret/subdir/page.html" then change it to href="[[PAGE:subdir/page.html]]"

  4. Files can be downloaded from the members area in a way that does not disclose the file's location.

    The downloadable files are all placed in one directory. To prevent direct linking, even if the directory location should be guessed, the directory can be somewhere in the cgi-bin or password protected — somewhere public browsers can't access.

    The location of the downloadable files directory is specified in the "File Downloads" section of the Control Panel's configuration page.

    The links for the downloadable files in the members area pages are constructed with a special placeholder.

    The download link URL format is [[DOWNLOAD:_____]] where _____ is replaced with the name of the file to be downloaded. Do not specify the downloadable file's URL or location, just the file name.

    For example, if the direct URL to the download file is href="http://example.com/place/file.zip" then change the link to href="[[DOWNLOAD:file.zip]]"

      Uploading to the secret directory

Once the web pages in your development directory (or on your computer) have been properly prepared, they need to be moved to your secret directory. Move only the web pages — image, sound, style sheet, or other non-web page files should not be in the secret directory.

If you have web pages in subdirectories of your development directory, they must be moved into subdirectories of the same name in the secret directory.

After your web pages are moved, download a copy to your computer for a backup.

Then, if you used a development directory on your server, delete the members web pages from the development directory — this is to prevent the pages from being accessed by those not authorized to do so. However, delete only the web pages from the development directory, not image, style sheet, or other files the pages in your secret directory depend on.

      Allowing Members To Change Their Own Record

You can let your members change their own record — name, email, and password. Simply paste the form below into one of your Members Only pages.

You can change the form's design and the form field labels, if you wish. But the action="_____" and name="_____" and value="_____" attributes should remain as they are.

Exception: The value="_____" for the name="thankyoupage" hidden field can have a different file name. Replace first.html with the file name of the Members Only page you want to use as the "thank you" page.

 



Personalizing Member Email In Control Panel and In Original Secret Directory Method Member Pages

{top}

You may use the following placeholders anywhere in email to members sent through the control panel and anywhere on member pages of the Secret Directory Method. Place the placeholder where the relevant information is to be inserted.

When the email is sent or the page is displayed by Master Members Only V3, the placeholder is replaced with real information. (If the real information is not available, the placeholder is deleted.)

PlaceholderIs Replaced With
[[realname]]The member's real name
[[email]]The member's email address
[[username]]The member's username
[[pw]]The member's password
[[created]]The date the member's record was first created
[[updated]]The date the member's record was last updated
[[expires]]The date the member's membership expires
 



Requirements for Both Entire Directories and Individual Pages Protection Methods

{top}

There are 1 or 2 requirements depending on whether or not you are also using the Secret Directory Method.

1.
In the control panel's Configuration page, in the "Cookie Use Settings" section, verify the "Yes" radio button is selected. (See The Control Panel.)

2.
If you are not also using the Secret Directory Method, a page needs to be created for immediately after members log in. For these instructions, let's refer to that page as the After Log-in page.

The After Log-in page may be a welcome page. Or, it may redirect the browser to another page.

When the location of the After Log-in page has been determined, go to the "Member Area Settings" section of the control panel's Configuration page (see The Control Panel) and:

  1. In the field labeled, "Type the directory path to the secret directory containing the member's only pages," type in the directory path to the After Log-in page. Type the full directory path, but not the After Log-in page file name.

  2. In the field labeled, "When a member logs in, what is the file name of the first page they see," type in the After Log-in page file name.

Do the above only if you are not also using the Secret Directory Method.

If the After Log-in page will be redirecting, the following can be used as the complete redirect page:

In the above web page source code, replace _________ in all 3 places with the complete http://... URL of the page being redirected to.

 



Protecting with the Any Directory Method

{top}

Entire directories can be made accessible only to browsers with the Master Members Only V4 log-in cookie.

Before setting this up, see Requirements for Both Entire Directories and Individual Pages Protection Methods.

For the Any Directory Method, add these four lines to the .htaccess file of each directory being protected:

In the fourth line of the above code, replace http://example.com/members/login.php with the URL of the web page the browser shall display if it does not have the cookie. That would probably be the log-in page, but can be any page you wish.

When the 4 lines, correctly edited, are put into the .htaccess file of the directory to be protected, browsers without the Master Members Only V3 cookie will be redirected to the web page you specified.

 



Protecting with the Any Page Method

{top}

Individual PHP web pages can be made accessible only to browsers with the Master Members Only V4 log-in cookie.

Before setting this up, see Requirements for Both Entire Directories and Individual Pages Protection Methods.

For the Any Page Method, put this PHP code at the top of each page to be protected:

Change the value of $LogInPageURL to the URL of the web page where the browser is to be redirected if it does not offer the correct cookie. That would probably be the log-in page, but can be any page you wish.

If the browser provides the correct cookie, the server delivers the page. Otherwise, the browser is redirected to the URL specified in the PHP code.

 



Signup Form

{top}

A signup form is not strictly necessary; other methods of adding members to the Master Members Only V3 database are entering them manually with the control panel or letting an e-commerce or other program do it.

An example signup form is file signup.html

The form's action="___" is the Master Members Only V3 signup.cgi program.

If you use a sign-up form, you optionally may specify the membership period in years, months, and/or days. Examples:

<input type="hidden" name="period_years" value="1">
<input type="hidden" name="period_months" value="2">
<input type="hidden" name="period_days" value="10">

You may use none, one, two, or all three of the above. If you use more than one, the membership period will be the result of adding the periods together. If you use none, the membership period will be indefinite.

 



Membership Extension Form

{top}

This form can be used to extend the expiration date of existing members. Like the signup form, the membership extension form is not strictly necessary; other methods of adding members to the Master Members Only V3 database can be utilized.

An example membership extension form is file extend.html

The form's action="___" is the Master Members Only V3 extend.cgi program.

If you use a membership extension form, you optionally may specify the membership period in years, months, and/or days. Examples:

<input type="hidden" name="period_years" value="1">
<input type="hidden" name="period_months" value="2">
<input type="hidden" name="period_days" value="10">

You must use at least one of the above. You may use two or all three. If you use more than one, the membership period will be the result of adding the periods together.

 



Other Forms and Pages

{top}

All of the forms and the confirmation page addressed in this section may be custom designed by you (the action="____" for the forms is the URL to the Master Members Only V3 main.cgi program).

To use your custom pages, specify their URLs in the Configuration Control Panel, under "Optional Member Area Settings." If the URLs are not specified, Master Members Only V3 will generate and display default pages as appropriate.

      Member log-in form

This is a form used to log into the member's only area. An example form is in file login.html

If you wish, you may provide a link to the "lost password" form by sending data name forgot_password with value yes to main.cgi. Example:

<a href="http://url/to/main.cgi?forgot_password=yes">
Forget password?</a>

      Log-in failed form

This is a form used when the previous log-in attempt failed. An example form is in file failedlogin.html

Like the Member log-in Form, a link to the "lost password" form may be provided.

      Lost password form

When a member forgets or loses a password, this form can be used to request the password be sent to the member's email address of record. An example form is in file forgotpw.html

The "lost password" form must contain this hidden field:

<input type="hidden" name="sp" value="yes">

      Password sent confirmation page

When a member's password has been sent to the email address of record, a confirmation page is presented. An example confirmation page is file pwsent.html

 



Bulk Adding Members

{top}

The software script file to bulk add usernames and passwords to the members only database is named bulkadd.cgi. To use it, type its URL into your browser's address bar.

When the URL of bulkadd.cgi is loaded into your browser window, it will ask for a password. Provide the same password as you do for the control panel.

Then, either type the usernames and passwords into the form or paste in the contents of a file prepared ahead of time.

Specify one username and password set per line. Separate the username and the password with a space. Example:

willie were345*k
wonka 98D*dfds
chocolate llkdfkd##d

If the records shall have additional information (name, email address, expiration date) then use the regular control panel, instead. Adding members is done with the "Member Records" button, then the "Manually Add Members" button.

 



Database Integrity

{top}

Databases are vulnerable. Power fluctuations and server restarts while databases are being updated are only two of the variables most of us have no control over.

Even with the variables beyond your control, there is something you can do:

— Make frequent backups of your databases —

Your databases are in the /data directory. Every file in the /data directory is part of the Master Members Only V3 system of databases.

A backup copy of all database files should be made weekly. These can be scheduled as automatic backups or you can do unscheduled backups manually. See The Control Panel. If you anticipate or experience a surge of new members, another backup should be made.

Extra precaution such as this is prudent, especially if you have a large number of members.

If you wish to keep a backup copy of the databases on your hard drive, in addition to those made through the control panel, use your FTP program and download every file in the /data directory. Download the files as binary, not as ASCII/plain text.

Do not open the downloaded backup file or, if you do, be certain your software does not save it. Doing so can introduce characters that break the file.

If you need to restore your databases from copies on your hard drive, upload your latest backup copy with FTP. Upload the files as binary, not as ASCII/plain text.

 



Technical Support

{top}

Technical support is available via the help desk or the contact page on willmaster.com. The help desk is here and the contact page here.

 



Thank you for your purchase of Master Members Only V3.

 



Copyright 2001 William Bontrager
Copyright 2007, 2009 Bontrager Connection, LLC