Need advice on website authenticating thousands of users

Posted on 2014-09-15
Last Modified: 2014-10-18
I need to setup some type of authentication system (non FTP) for approximately 2000 customers with which they will have access to one of two pricing folders.  My thoughts are that I don't want to have to manually type all their information in.  Thus, I'm thinking I'll have them register on a webpage and then have that information stored in a database, then forwarded to someone I designate.  Then that person approves or denies that registration, and if approved, they will be assigned their specific folder containing catalogs/pricing/images, etc. (between A or B) to view contents.  Both folders will house different content.

I'd like some advice on how to accomplish with the highest level of importance placed on security.  However, I'd like there to be minimum effort for my employees regarding registration, storage, access, customer service, etc.  I think once a registration is setup and access is assigned, that should be pretty much the end of the story short of updating the folders' contents.

What's the best and most efficient way to accomplish this?  I'd like to stick to some type of Windows based solution on the back end as we have difficulty with getting support for Linux in our local area, and we are operating in a Windows environment.  Since this is most likely going to be webpage based, I'd like to avoid any type of WordPress or Joomla that will have to be managed or updated frequently due to constant vulnerabilities and attacks.  Hoping to just keep this simple with maximum security from registration all the way to customer file access.  

I'm considering buying a seperate box just to house and run this and set it up in the DMZ outside our main network.  I can configure the edge devices to whatever is needed for promoting the highest security.    Any and all thoughts would be appreciated.

Needless to say, I don't want an expensive solution.  I have resources (man hours) to get this done, but would prefer a solution that doesn't require expensive licensing, hardware, or subscriptions.

If I'm pointed in the completely wrong direction, I'd like to know that as well.  The above are just my ideas off the cuff.

Question by:Steven Webster
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 21

Expert Comment

by:Randy Poole
ID: 40323295
Do you have access to a SQL Database and Server with IIS 7+ on it?  Also do the clients only need download access or upload as well?

Author Comment

by:Steven Webster
ID: 40323341
Yes, we have access to a SQL database and have a server with IIS 7 on it.  The clients only download content, no uploading will be permitted.
LVL 21

Accepted Solution

Randy Poole earned 500 total points
ID: 40323371
I would make a simple database consisting of the signup/authentication information.  Then they get directed to  .NET or php once they are authenticated which displays the files/folders and allows them to download as needed or expand on it so they can download a zip of whichever folder they want.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Author Comment

by:Steven Webster
ID: 40324021
I'm guessing this is something I cannot setup easily?  I know very little about SQL and even less about .NET/PHP.  I'm guessing I need hire someone to write the SQL database and someone else to write the .NET/PHP site.  I don't have any developers as resources.
LVL 11

Expert Comment

ID: 40326188
If I understood correctly, all this people are going to have access to the same information, if so, I will suggest to create a page requesting for Username and Password and if the password is valid then show another page with the possible available files for download so they can select the files they want to download and they will download it in their own time.  All this can be done by PHP, HTML or ASP, just remember to keep the download links hidden from the browser to force the user to always use the logon page.

To make it look nice your customers should be directed or send to something like: or

The only thing here is they will all have the same username and password.

Author Comment

by:Steven Webster
ID: 40326226
Thanks for the comment, unfortunately we will need to track which customers log in when.  This is part of a bunch of issues this project hopes to fix including timing of pricing.  We allow for a small time frame for our customers to purchase with a current price quoted in the documentation.  With prices changing a lot, some of them are complaining that they are getting the quotes and purchasing them with incorrect pricing.  To ensure accurate, up-to-date pricing, we require that the customer acquire the latest pricing guide before they place an order.  To eliminate any excuses, I want them to have their own login where we can track who logs in when, for how long, and whether or not they made an access request for a file and if it was transmitted successfully.  Our sales reps end up stuck in the middle as they were the ones previously filling pricing requests.  We had been honoring the customers' word, but it's become too much of a hassle at this point and hopefully this project will use technology to unload the burdensome process of our sales team providing pricing.
LVL 11

Expert Comment

ID: 40326294
I have implemented the previous option for a company that also sells, they are a mayor wholesaler for US and Canada.

There is nothing you can put on your system to find out when they came to download, how log they stay and if the prices they have are the correct.

For the company to function properly, your site (front-end) should always have the latest file (file size, date and name can be included on the download page) and the file should include a dead line for the included prices, your new prices should go up at least 2 days before the dead line of the previous one.  The sales department should have tools to send their customers something like alerts of starting and dead lines sales dates/promotions.

The other way around to avoid always going with "the customer is always right" or honor old prices, price list can be send in promotional campaigns to buyers' email.

If you still one to try to put something in more complicated in place go check this tool:

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud. This article shows how to create one of these functions to write directly to Azure Table Storage.
This post contains step-by-step instructions for setting up alerting in Percona Monitoring and Management (PMM) using Grafana.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question