Jump to content

Recommended Posts

Howdy, long time PHP supporter, first time caller:

Allright, I'm using some funky javascripting to password-protect some low-level senstive sites. As is, users click on a link and are prompted with a pop-up box asking for a password. Instead of this action, I would like to have a field embedded right into a PHP webpage so that users can just type in the password and click "login!" without messing with the popup box at all. I've done this using forms, but not with javascript. Below is the portion of the script that currently activates the prompt:

[!--coloro:#006600--][span style=\"color:#006600\"][!--/coloro--][code]function askPW() {
var password = prompt('Please enter your password:');
if (password == parent.blank.pw) {
setCookie("pubeconet",password);
             document.location.href="homepage.html";  
             } else {  
                     document.location.href="pw_required.html";
             }              
     }[/code][!--colorc--][/span][!--/colorc--]

I know there has to be a simple solution, and recognizing that I learn better by example, can anyone give me a suggestion? Thank you in advance!
If its only one pass for all, you can have something like this:

[code]<?php
$pass=$_POST['password'];
if($pass=="password"){ //change password to what ever you want
header("Location: homepage.html"); exit;}
else{
header("Location: pw_required.html"); exit;};
?>
[/code]
But if you want alot of passwords, use tables.

Orio.
Wow, I'm not used to asking questions in forums like this, thanks for the quick response!

I think that I do indeed want to use the method you describe, however not in it's exact scripty form. The password protection that I'm using is based on the good doctors code ([a href=\"http://www.ddj.com/184412419\" target=\"_blank\"]http://www.ddj.com/184412419[/a]), in which, he using various tricks to make everything a tad more secure. Anyways, instead of checking the users input against a password that's hard coded into the same page that the form is on, my script checks the users input against the password in another page, "blank.html", of which you can see it referred to in my original post, and which has the following code, in which "xxx" is the password:

[code]<script language="javascript">
var pw = "xxx";
if (parent.location.href==window.location.href) {
        window.location.href="pw_required.html"
        }
</script>

<body>

<body bgcolor="#ffffff" onLoad='javascript:parent.body.location.href="homepage.html"'>[/code]

I hope I've made my intentions clear enough... thank you again Orio
Why javascript? It is not secure to password protect a page with javascript as it is easy to bypass the password login, but simply disabling javascript.

With PHP is much more secure as the password cannot be seen by anyone.
[!--quoteo(post=369605:date=Apr 28 2006, 10:51 AM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Apr 28 2006, 10:51 AM) [snapback]369605[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Why javascript? It is not secure to password protect a page with javascript as it is easy to bypass the password login, but simply disabling javascript.

With PHP is much more secure as the password cannot be seen by anyone.
[/quote]

I knew this question was going to come up at some point.

Do you have any specific suggestions? I started out using .htaccess, and really, really liked it, but it gave some users trouble so I abandoned it. I'm working on a CMS and it has a "members only section", which has, as the name implies, multiple pages within in it.

With the code I am using, if the user disabled javascript, then he/she is redirected an "access denied" page. If the user tries to type in the URL to a page PAST the login page, then he/she is redirected to an "access denied" screen.

I ultimately chose this particular script because I understand it, and it's easy to use it to protect multiple pages by simply adding 2 lines between the head tags.

Right now I am the most worried about it being 100%, or at least 99.9999% usable by everyone without problems. Oh, and I'm note really interested in adding yet another table to my database for this cause...
When you code in PHP no one can see your source, so if you have a page set for the password like so:

password.php:
[code]<?php

$pass = "blahblah";

?>[/code]

Then for each of your password protected pages:

[code]<?php

include("password.php");  \\adds the variable to your page, this way if you change the password, its only the one file

if($pass !== "blahblah") {

redirection crap....

  } else {

rest of your page that is pass protected...

  }

?>[/code]
Thank you very much Twentyoneth, I played with your code a lot, and then led me in a whole bunch of different directions. Ultimately, I've come up with this little nugget using sessions. If I simply include this into all of the pages I want to protect, they'll be protected.

Anyone see anything wrong with this code? It sure seems to work pretty well.

[code]<?php
session_start();

if ($_POST['username'] == 'XXX' and
     $_POST['password'] == 'YYY')
   $_SESSION['authorized'] = true;
?>
<?php if (!$_SESSION['authorized']): ?>
     <form action="<?=$_SERVER['PHP_SELF']?>" method="POST">
       <p>Username: <input type="text" name="username" /><br />
          Password: <input type="password" name="password" /><br />
          <input type="submit" /></p>
     </form>
<?php else: ?>
<!-- Super-secret HTML content goes here -->
<?php endif; ?>[/code]

Now I just need to perfect a "logout" button for it... Which I'm not excited about because of my dealings with trying to simply expire cookies... which have left mental scars...
Your code is a bit edgy if you ask me, more hard to read and sift through, although I am a newb.

[code]<?php
session_start();

if($_POST['username'] == 'XXX' & $_POST['password'] == 'YYY') {
   $_SESSION['authorized'] = true;
  }

<?php if(!$_SESSION['authorized']): ?>
     <form action="<?=$_SERVER['PHP_SELF']?>" method="POST">
       <p>Username: <input type="text" name="username" /><br />
          Password: <input type="password" name="password" /><br />
          <input type="submit" />
       </p>
     </form>
<?php else: ?>
<!-- Super-secret HTML content goes here -->
<?php endif; ?>[/code]

But, to log out, you could add this tid bit:

[code]<?php
session_start();

if($_POST['logout']) {
   clear 'session' code...
  }
if($_POST['username'] == 'XXX' & $_POST['password'] == 'YYY') {
   $_SESSION['authorized'] = true;
  }

<?php if(!$_SESSION['authorized']): ?>
     <form action="<?=$_SERVER['PHP_SELF']?>" method="POST">
       <p>Username: <input type="text" name="username" /><br />
          Password: <input type="password" name="password" /><br />
          <input type="submit" value="submit" name="submit" />
       </p>
     </form>
<?php else: ?>
     <form action="<?=$_SERVER['PHP_SELF']?>" method="POST">
       <input type="submit" value="logout" name="logout" />
     </form>
<!-- Super-secret HTML content goes here -->
<?php endif; ?>[/code]
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.