Jump to content
SaranacLake

Creating a private site

Recommended Posts

Hi everyone.  Getting my head back into PHP after a long time away, so pardon the newbie question!

I would like to create a simple website that is private to me and a few select people.  The intention is to be able to share pictures or files.  (Sort of my like my own personal dropbox.)

Looking to put up some Holiday photos, so this needs to be a quick endeavor.

I was thinking of creating a php page that is a log in page.  No database, but f the user enters the correct username and password then I could reveal photos or maybe links to other pages.

How does that sound?

I have done .htaccess files in the past, but they sorta look crude and might scare non-technical people away.

Thoughts?

 

Share this post


Link to post
Share on other sites

Do you have the rest of it built out? Because if not then I would suggest using one of the millions of existing services to do this.

But an .htaccess with a username and password is a really quick way to do this. They go to the site, the browser pops up a little window asking for a username and password, they enter it, and they get in. And the browser can remember it like the login for any other website.

Share this post


Link to post
Share on other sites
49 minutes ago, requinix said:

Do you have the rest of it built out? Because if not then I would suggest using one of the millions of existing services to do this.

But an .htaccess with a username and password is a really quick way to do this. They go to the site, the browser pops up a little window asking for a username and password, they enter it, and they get in. And the browser can remember it like the login for any other website.

I don't have anything currently.  Just wanted to throw up an anonymous site where I can share things like work photos for a temporary period.  (This is since I have a webserver I pay for every month and never use for anything!)

Your suggestion is probably the easiest, but to be devils advocate...

1.) There is no reason I couldn't create a basic log in screen WITHOUT a database, right?  Just have my PHP check a hard-coded hash (or password) and if it's correct, the page loads.

2.) In that scenario, once logged in, I could use session variables to allow them access to other pages, like page 2 of the pictures, right?

 

Share this post


Link to post
Share on other sites

1. Yes, if the fancy UI is important to you.

2. As with any other user authentication system, yes.

Share this post


Link to post
Share on other sites
3 minutes ago, requinix said:

1. Yes, if the fancy UI is important to you.

2. As with any other user authentication system, yes.

As a temporary place to store things like work holiday photos or maybe a test.php fle I share with you, is there anything super dangerous about hard-coding in a password in my splash login page?

(On my real site that is still under development, I store hashed passwords in MySQL, but don't want to go that far for this site.)

Share this post


Link to post
Share on other sites

Nah. It's not like the world will end if someone were to leak the password to 4chan or something.

Share this post


Link to post
Share on other sites
7 minutes ago, requinix said:

Nah. It's not like the world will end if someone were to leak the password to 4chan or something.

Was that sarcasm or are you serious?

If I am not using a database, then what is the safest way to program a log in screen?

For instance, is there any benefit to using a hash if it is hard-coded in your script?

I should say that this is on my VPS, so I could at least store the hashed password in a .php file *outside* the web-root.

Will probably only leave files up for a few weeks, but do want to protect people's pictures...

Share this post


Link to post
Share on other sites
7 minutes ago, SaranacLake said:

Was that sarcasm or are you serious?

Not sarcasm. You only need something to share some pictures for a short while, not to secure nuclear launch codes.

7 minutes ago, SaranacLake said:

If I am not using a database, then what is the safest way to program a log in screen?

Log in screen doesn't care if you use a database or not. All you're doing is changing how it knows whether a login is valid.

7 minutes ago, SaranacLake said:

For instance, is there any benefit to using a hash if it is hard-coded in your script?

Given the lax security measures already being considered: no, not really. But personally I would probably still obfuscate it a little, like base 64-encoding.

7 minutes ago, SaranacLake said:

I should say that this is on my VPS, so I could at least store the hashed password in a .php file *outside* the web-root.

Yeah, sure.

Share this post


Link to post
Share on other sites
17 minutes ago, requinix said:

Given the lax security measures already being considered: no, not really. But personally I would probably still obfuscate it a little, like base 64-encoding.

 

Where are the "lax security measure"??  😕

Share this post


Link to post
Share on other sites
31 minutes ago, SaranacLake said:

Where are the "lax security measure"??  😕

A hardcoded username and/or password that I assume will be shared for all people who need to get in.

Share this post


Link to post
Share on other sites
5 minutes ago, requinix said:

A hardcoded username and/or password that I assume will be shared for all people who need to get in.

What is a better alternative?

 

Share this post


Link to post
Share on other sites
21 minutes ago, SaranacLake said:

What is a better alternative?

You know, the regular user management system? You don't have to have open registration, but emails and passwords and all that.

Share this post


Link to post
Share on other sites
9 minutes ago, requinix said:

You know, the regular user management system? You don't have to have open registration, but emails and passwords and all that.

I could do that, but first of all, that would require that I have everyone's email addresses.  (I am going to send out an email from work to our work distribution list, but I suspect people will view this from home - if they are smart they won't access my website from work!)  And as far as passwords, if I want people to set their own password then you basically have a registration system.  I know how to do that, but don't want to spend that much time coding things.

I take security very seriously, but it doesn't seem that bad to share a password with co-workers for temporary access.  Of course I wouldn't do that with a website like this or an e-commerce site, but it seems like a reasonable approach, or do you think I'm way off here?

Also, since you recommended just using .htaccess, that would be the same issue of "lax" security, right?

 

Share this post


Link to post
Share on other sites
3 hours ago, SaranacLake said:

I know how to do that, but don't want to spend that much time coding things.

...which is why we're going down the "lax security measure" path.

3 hours ago, SaranacLake said:

Also, since you recommended just using .htaccess, that would be the same issue of "lax" security, right?

The lax security decision comes first. The .htaccess method is a way of implementing it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.