ShopSite Tip – Securing Content With Customer Groups

Sometimes you need to secure content on your site to specific customers.   Maybe you want to limit products to only certain people or just create some “Members Only” pages for a group of users.

Our Wholesale Module can do this, but it provides many more features instead of just a basic security option, so in this post we’ll review some sample code that you can put into a template which will require a user to be in a specific ShopSite Customer Group before they can see the content.


This method of securing pages uses ShopSite’s Customer Registration feature, so ShopSite Pro will be needed.  For the user to pass the security check and see the content they must:

  1. Have a registered customer account in your store.
  2. Their account must be in a specified security group (determined by you)
  3. They must be logged in to their account

When logged in to a customer account, their browser will store a cookie with their account details.  The code will read the cookie to see if they are logged in and have the correct access before the content is displayed.

The Code

PHP is used to parse the cookie values and determine if the customer can see the content.  In a custom template, replace the “[– PAGE.Text1 –]” tag with the the sample code below:

// Set Secured Group
$secured_group = "[-- PAGE.Field20 --]"; //Use Extra field
//$secured_group = "special user"; //Use Hardcoded Value

// Get ShopSite Cookie
$cookie_values = $_COOKIE["ss_reg_[-- STORE_Serial_Number --]"];
$cookie_array = explode('|',$cookie_values);
$cust_name = $cookie_array[0];
$cust_group = $cookie_array[1];
$cust_signed_in = $cookie_array[2];

// Display Content
if($cust_signed_in == 'yes' && $cust_group == $secured_group){?>
[Secure content goes here]
[-- PAGE.Text1 --]

<?php }elseif($cust_signed_in == 'yes' && $cust_group <> $secured_group){?>
[logged in, but not in the correct group, what they should do goes here]
Your account does not have access to this page. 

<?php }else{ ?>
You are not logged in. [message to login goes here]
<?php } 

What It Does

The “$secured_group” variable stores the name of the customer group that the page is secured to.  You can set this to an extra page field (which allows you to use the same code for different pages using different groups) or you can use the line of code below it to hard-code the group value.

The “$cookie_values” variable stores the cookie values, which are then parsed into their own variables.

The “// Display Content” sections is what checks the values and displays either the content or messages to the user.  You’ll see in the code where it displays the secure content with [– PAGE.Text1 –] if they are both logged in and in the correct security group:

<?php if($cust_signed_in == ‘yes’ && $cust_group == $secured_group){?>
<br>[Secure content goes here]<br>[– PAGE.Text1 –]<br>

Below that is what the customer sees if they are logged in, but not in the correct group:

<?php }elseif ($cust_signed_in == ‘yes’ && $cust_group <> $secured_group){?>
<br>[logged in, but not in the correct group, what they should do goes here]
Your account does not have access to this page. <br>

The last section is what the customer sees when they are not logged in:

<?php }else{ ?>
<br>You are not logged in. [message to login goes here]<br>

Modify each section with any text, links, or details that you need to tell the customer.  Be sure to only change the content between the “<BR>” tags and not the PHP code itself.  (But feel free to modify the code if you want to make any changes to how the process works.)

  • Note: Page Filenames – Since PHP code is used you need to give your page a filename ending in .php (ex: mypage.php) so the code can be executed. Another option is to modify your .htaccess file to process PHP code in all .htm/.html files.

An Example

For a sample of how this works, see this page on our test store:

We have created a customer group named “security-test” and added the test user to it.  When you first visit the page you’ll see a message that you do not have access, but when you login the message will change.  Details to login are on the test page.

Hard-Coding Into Text 1

While the details above tell you to use a custom template for this, you can use it in the Text 1 field of a page as well.  However, ShopSite tags are not processed in Text fields, so you would just need to make 3 small changes:

  1. Remove the “//” from the beginning of the “//$secured_group = “special user”;” line and change “special user” to the name of the customer group that you want to use.
  2. Change “[– STORE_Serial_Number –]” to your store’s Serial Number, which can be found on the Preferences > Hosting Service screen in ShopSite.
  3. Remove the “[– PAGE.Text1 –]” value.

You can now put the code into a Text 1 field and it will run correctly.  Be sure that you’re in the plain text editing mode and don’t enable the HTML Editor before you paste in the code, otherwise the special characters which make it work will be lost.


Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Leave a Reply