SaranacLake Posted November 27, 2019 Share Posted November 27, 2019 Hi everyone. Getting my head back into PHP after a long time away, so pardon the newbie question! I would like to create a simple website that is private to me and a few select people. The intention is to be able to share pictures or files. (Sort of my like my own personal dropbox.) Looking to put up some Holiday photos, so this needs to be a quick endeavor. I was thinking of creating a php page that is a log in page. No database, but f the user enters the correct username and password then I could reveal photos or maybe links to other pages. How does that sound? I have done .htaccess files in the past, but they sorta look crude and might scare non-technical people away. Thoughts? Quote Link to comment Share on other sites More sharing options...
requinix Posted November 27, 2019 Share Posted November 27, 2019 Do you have the rest of it built out? Because if not then I would suggest using one of the millions of existing services to do this. But an .htaccess with a username and password is a really quick way to do this. They go to the site, the browser pops up a little window asking for a username and password, they enter it, and they get in. And the browser can remember it like the login for any other website. Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted November 27, 2019 Author Share Posted November 27, 2019 49 minutes ago, requinix said: Do you have the rest of it built out? Because if not then I would suggest using one of the millions of existing services to do this. But an .htaccess with a username and password is a really quick way to do this. They go to the site, the browser pops up a little window asking for a username and password, they enter it, and they get in. And the browser can remember it like the login for any other website. I don't have anything currently. Just wanted to throw up an anonymous site where I can share things like work photos for a temporary period. (This is since I have a webserver I pay for every month and never use for anything!) Your suggestion is probably the easiest, but to be devils advocate... 1.) There is no reason I couldn't create a basic log in screen WITHOUT a database, right? Just have my PHP check a hard-coded hash (or password) and if it's correct, the page loads. 2.) In that scenario, once logged in, I could use session variables to allow them access to other pages, like page 2 of the pictures, right? Quote Link to comment Share on other sites More sharing options...
requinix Posted November 27, 2019 Share Posted November 27, 2019 1. Yes, if the fancy UI is important to you. 2. As with any other user authentication system, yes. Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted November 27, 2019 Author Share Posted November 27, 2019 3 minutes ago, requinix said: 1. Yes, if the fancy UI is important to you. 2. As with any other user authentication system, yes. As a temporary place to store things like work holiday photos or maybe a test.php fle I share with you, is there anything super dangerous about hard-coding in a password in my splash login page? (On my real site that is still under development, I store hashed passwords in MySQL, but don't want to go that far for this site.) Quote Link to comment Share on other sites More sharing options...
requinix Posted November 27, 2019 Share Posted November 27, 2019 Nah. It's not like the world will end if someone were to leak the password to 4chan or something. Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted November 27, 2019 Author Share Posted November 27, 2019 7 minutes ago, requinix said: Nah. It's not like the world will end if someone were to leak the password to 4chan or something. Was that sarcasm or are you serious? If I am not using a database, then what is the safest way to program a log in screen? For instance, is there any benefit to using a hash if it is hard-coded in your script? I should say that this is on my VPS, so I could at least store the hashed password in a .php file *outside* the web-root. Will probably only leave files up for a few weeks, but do want to protect people's pictures... Quote Link to comment Share on other sites More sharing options...
requinix Posted November 27, 2019 Share Posted November 27, 2019 7 minutes ago, SaranacLake said: Was that sarcasm or are you serious? Not sarcasm. You only need something to share some pictures for a short while, not to secure nuclear launch codes. 7 minutes ago, SaranacLake said: If I am not using a database, then what is the safest way to program a log in screen? Log in screen doesn't care if you use a database or not. All you're doing is changing how it knows whether a login is valid. 7 minutes ago, SaranacLake said: For instance, is there any benefit to using a hash if it is hard-coded in your script? Given the lax security measures already being considered: no, not really. But personally I would probably still obfuscate it a little, like base 64-encoding. 7 minutes ago, SaranacLake said: I should say that this is on my VPS, so I could at least store the hashed password in a .php file *outside* the web-root. Yeah, sure. Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted November 27, 2019 Author Share Posted November 27, 2019 17 minutes ago, requinix said: Given the lax security measures already being considered: no, not really. But personally I would probably still obfuscate it a little, like base 64-encoding. Where are the "lax security measure"?? 😕 Quote Link to comment Share on other sites More sharing options...
requinix Posted November 27, 2019 Share Posted November 27, 2019 31 minutes ago, SaranacLake said: Where are the "lax security measure"?? 😕 A hardcoded username and/or password that I assume will be shared for all people who need to get in. Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted November 27, 2019 Author Share Posted November 27, 2019 5 minutes ago, requinix said: A hardcoded username and/or password that I assume will be shared for all people who need to get in. What is a better alternative? Quote Link to comment Share on other sites More sharing options...
requinix Posted November 28, 2019 Share Posted November 28, 2019 21 minutes ago, SaranacLake said: What is a better alternative? You know, the regular user management system? You don't have to have open registration, but emails and passwords and all that. Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted November 28, 2019 Author Share Posted November 28, 2019 9 minutes ago, requinix said: You know, the regular user management system? You don't have to have open registration, but emails and passwords and all that. I could do that, but first of all, that would require that I have everyone's email addresses. (I am going to send out an email from work to our work distribution list, but I suspect people will view this from home - if they are smart they won't access my website from work!) And as far as passwords, if I want people to set their own password then you basically have a registration system. I know how to do that, but don't want to spend that much time coding things. I take security very seriously, but it doesn't seem that bad to share a password with co-workers for temporary access. Of course I wouldn't do that with a website like this or an e-commerce site, but it seems like a reasonable approach, or do you think I'm way off here? Also, since you recommended just using .htaccess, that would be the same issue of "lax" security, right? Quote Link to comment Share on other sites More sharing options...
requinix Posted November 28, 2019 Share Posted November 28, 2019 3 hours ago, SaranacLake said: I know how to do that, but don't want to spend that much time coding things. ...which is why we're going down the "lax security measure" path. 3 hours ago, SaranacLake said: Also, since you recommended just using .htaccess, that would be the same issue of "lax" security, right? The lax security decision comes first. The .htaccess method is a way of implementing it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.