IP Addresses change depending on the ISP of the user viewing your website. Some will be assigned a static IP, while many home users may be assigned a dynamic IP that could change on a varying basis.
There are a few different options to handling user authentication, with varying levels of usability:
Use a login form and create users. You will have to create a database to store encrypted passwords and other user data.
Use a login with IP address whitelisting. You can detect the origin of the server request using the
$_SERVER['REMOTE_ADDR']
variable in PHP. Note that if the user is going through a proxy, you will be returned the proxy IP and not the users. You can require a login from anyone outside your array of whitelisted IPs.A small sample script to set up your database:
$ msyql -u root -pYourPassword > CREATE DATABASE mysite; > CREATE TABLE users (id TINYINT NOT NULL AUTO_INCREMENT, name VARCHAR(30), password VARCHAR(60), email VARCHAR(30), PRIMARY KEY (id));
That's it for creating a very simple database. For security, you should always salt passwords prior to passing them through the MySQL PASSWORD() function.
If you aren't comfortable using a database, you can manage user login credentials using htaccess. It is simple and offers no extra fringe benefits or manageability that would come with a programmatic login.
#just a basic login AuthType Basic AuthName "Login Required" #the absolute path to your htpasswd. you can use relative, just be conscious if you move either file AuthUserFile /path/to/.htpasswd #if you don't have this, your already limited security is blown Require valid-user
Wherever the .htpasswd is according to the htaccess, you will have a file
.htpasswd
with one line per user that looks something like:john:$apr1$j08c8l7h$ck52z9GqO0VTgKY5OMerV0
Whenever using the .htaccess method, you should own and chmod 600 the files to ensure only the Apache user can read them:
chown www-data:www-data .htaccess && chmod 600 .htaccess chown www-data:www-data /path/to/.htpasswd && chmod 600 .htpasswd
I would highly recommend using a standard login system with your information stored in a MySQL (or postgres, oracle, etc) database. You noted yourself that IP addresses do change, and frequently updating and managing access to a site using only a list of IP addresses is neither efficient or secure.