How CARL's Members Area Works
CARL includes a built-in membership system that lets you restrict pages to registered members. There's no plugin, no third-party service, and no separate membership platform to manage. Registration, login, session handling, and access control all run directly on your server as part of CARL.
Access Levels
CARL offers two membership levels: free and premium. Free membership is open to anyone who registers. Premium membership is for paid or manually upgraded accounts. When you restrict a page, you choose which level is required to view it. A premium page is inaccessible to free members. A free-tier member's page is inaccessible to visitors who aren't logged in.
How Sessions Work
When a member logs in, CARL creates a session token and sets a secure, HTTP-only cookie in the browser with a 30-day expiry. The token is hashed before it's stored in the database, so the raw session value is never retained on the server. On each request to a protected page, CARL checks the cookie, validates the session against the database, confirms the member's account is active, and verifies their access level before allowing the page to load.
If the session has expired or the cookie is missing, the visitor is redirected to the login page, with the original URL included as a redirect parameter, so they land back on the correct page after logging in. If they're logged in but their access level is insufficient, they're redirected to an upgrade page instead.
Registration Modes
Registration can be set to open or approval-required in your Members settings. With open registration, new accounts become active immediately after signup. Once approval is required, new accounts remain pending until you approve them from the Members dashboard in the admin panel. The approval mode is useful when you want to control who gets access rather than letting anyone register freely.
Password Requirements
CARL enforces a minimum password standard on registration: at least 8 characters, one uppercase letter, and one number. Passwords are stored as bcrypt hashes. The plain-text password is never written to the database or any log file.
The Members Dashboard
In the CARL admin panel, the Members section shows a summary of total members broken down by status (active, pending, suspended) and access level. From there, you can approve pending registrations, suspend accounts, change a member's access level, and delete members. Each member record shows their email, username, registration date, last login, and current status.
