Need advice on website authenticating thousands of users

I need to setup some type of authentication system (non FTP) for approximately 2000 customers with which they will have access to one of two pricing folders.  My thoughts are that I don't want to have to manually type all their information in.  Thus, I'm thinking I'll have them register on a webpage and then have that information stored in a database, then forwarded to someone I designate.  Then that person approves or denies that registration, and if approved, they will be assigned their specific folder containing catalogs/pricing/images, etc. (between A or B) to view contents.  Both folders will house different content.

I'd like some advice on how to accomplish with the highest level of importance placed on security.  However, I'd like there to be minimum effort for my employees regarding registration, storage, access, customer service, etc.  I think once a registration is setup and access is assigned, that should be pretty much the end of the story short of updating the folders' contents.

What's the best and most efficient way to accomplish this?  I'd like to stick to some type of Windows based solution on the back end as we have difficulty with getting support for Linux in our local area, and we are operating in a Windows environment.  Since this is most likely going to be webpage based, I'd like to avoid any type of WordPress or Joomla that will have to be managed or updated frequently due to constant vulnerabilities and attacks.  Hoping to just keep this simple with maximum security from registration all the way to customer file access.  

I'm considering buying a seperate box just to house and run this and set it up in the DMZ outside our main network.  I can configure the edge devices to whatever is needed for promoting the highest security.    Any and all thoughts would be appreciated.

Needless to say, I don't want an expensive solution.  I have resources (man hours) to get this done, but would prefer a solution that doesn't require expensive licensing, hardware, or subscriptions.

If I'm pointed in the completely wrong direction, I'd like to know that as well.  The above are just my ideas off the cuff.

Steven WebsterAsked:
Who is Participating?
Randy PooleConnect With a Mentor Commented:
I would make a simple database consisting of the signup/authentication information.  Then they get directed to  .NET or php once they are authenticated which displays the files/folders and allows them to download as needed or expand on it so they can download a zip of whichever folder they want.
Randy PooleCommented:
Do you have access to a SQL Database and Server with IIS 7+ on it?  Also do the clients only need download access or upload as well?
Steven WebsterAuthor Commented:
Yes, we have access to a SQL database and have a server with IIS 7 on it.  The clients only download content, no uploading will be permitted.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Steven WebsterAuthor Commented:
I'm guessing this is something I cannot setup easily?  I know very little about SQL and even less about .NET/PHP.  I'm guessing I need hire someone to write the SQL database and someone else to write the .NET/PHP site.  I don't have any developers as resources.
If I understood correctly, all this people are going to have access to the same information, if so, I will suggest to create a page requesting for Username and Password and if the password is valid then show another page with the possible available files for download so they can select the files they want to download and they will download it in their own time.  All this can be done by PHP, HTML or ASP, just remember to keep the download links hidden from the browser to force the user to always use the logon page.

To make it look nice your customers should be directed or send to something like: or

The only thing here is they will all have the same username and password.
Steven WebsterAuthor Commented:
Thanks for the comment, unfortunately we will need to track which customers log in when.  This is part of a bunch of issues this project hopes to fix including timing of pricing.  We allow for a small time frame for our customers to purchase with a current price quoted in the documentation.  With prices changing a lot, some of them are complaining that they are getting the quotes and purchasing them with incorrect pricing.  To ensure accurate, up-to-date pricing, we require that the customer acquire the latest pricing guide before they place an order.  To eliminate any excuses, I want them to have their own login where we can track who logs in when, for how long, and whether or not they made an access request for a file and if it was transmitted successfully.  Our sales reps end up stuck in the middle as they were the ones previously filling pricing requests.  We had been honoring the customers' word, but it's become too much of a hassle at this point and hopefully this project will use technology to unload the burdensome process of our sales team providing pricing.
I have implemented the previous option for a company that also sells, they are a mayor wholesaler for US and Canada.

There is nothing you can put on your system to find out when they came to download, how log they stay and if the prices they have are the correct.

For the company to function properly, your site (front-end) should always have the latest file (file size, date and name can be included on the download page) and the file should include a dead line for the included prices, your new prices should go up at least 2 days before the dead line of the previous one.  The sales department should have tools to send their customers something like alerts of starting and dead lines sales dates/promotions.

The other way around to avoid always going with "the customer is always right" or honor old prices, price list can be send in promotional campaigns to buyers' email.

If you still one to try to put something in more complicated in place go check this tool:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.