mfaerber Posted April 28, 2006 Share Posted April 28, 2006 Howdy, long time PHP supporter, first time caller:Allright, I'm using some funky javascripting to password-protect some low-level senstive sites. As is, users click on a link and are prompted with a pop-up box asking for a password. Instead of this action, I would like to have a field embedded right into a PHP webpage so that users can just type in the password and click "login!" without messing with the popup box at all. I've done this using forms, but not with javascript. Below is the portion of the script that currently activates the prompt:[!--coloro:#006600--][span style=\"color:#006600\"][!--/coloro--][code]function askPW() {var password = prompt('Please enter your password:');if (password == parent.blank.pw) {setCookie("pubeconet",password); document.location.href="homepage.html"; } else { document.location.href="pw_required.html"; } }[/code][!--colorc--][/span][!--/colorc--]I know there has to be a simple solution, and recognizing that I learn better by example, can anyone give me a suggestion? Thank you in advance! Quote Link to comment Share on other sites More sharing options...
Orio Posted April 28, 2006 Share Posted April 28, 2006 If its only one pass for all, you can have something like this:[code]<?php$pass=$_POST['password'];if($pass=="password"){ //change password to what ever you wantheader("Location: homepage.html"); exit;}else{header("Location: pw_required.html"); exit;};?>[/code]But if you want alot of passwords, use tables.Orio. Quote Link to comment Share on other sites More sharing options...
mfaerber Posted April 28, 2006 Author Share Posted April 28, 2006 Wow, I'm not used to asking questions in forums like this, thanks for the quick response!I think that I do indeed want to use the method you describe, however not in it's exact scripty form. The password protection that I'm using is based on the good doctors code ([a href=\"http://www.ddj.com/184412419\" target=\"_blank\"]http://www.ddj.com/184412419[/a]), in which, he using various tricks to make everything a tad more secure. Anyways, instead of checking the users input against a password that's hard coded into the same page that the form is on, my script checks the users input against the password in another page, "blank.html", of which you can see it referred to in my original post, and which has the following code, in which "xxx" is the password:[code]<script language="javascript">var pw = "xxx";if (parent.location.href==window.location.href) { window.location.href="pw_required.html" }</script><body><body bgcolor="#ffffff" onLoad='javascript:parent.body.location.href="homepage.html"'>[/code]I hope I've made my intentions clear enough... thank you again Orio Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted April 28, 2006 Share Posted April 28, 2006 Why javascript? It is not secure to password protect a page with javascript as it is easy to bypass the password login, but simply disabling javascript.With PHP is much more secure as the password cannot be seen by anyone. Quote Link to comment Share on other sites More sharing options...
mfaerber Posted April 28, 2006 Author Share Posted April 28, 2006 [!--quoteo(post=369605:date=Apr 28 2006, 10:51 AM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Apr 28 2006, 10:51 AM) [snapback]369605[/snapback][/div][div class=\'quotemain\'][!--quotec--]Why javascript? It is not secure to password protect a page with javascript as it is easy to bypass the password login, but simply disabling javascript.With PHP is much more secure as the password cannot be seen by anyone.[/quote]I knew this question was going to come up at some point.Do you have any specific suggestions? I started out using .htaccess, and really, really liked it, but it gave some users trouble so I abandoned it. I'm working on a CMS and it has a "members only section", which has, as the name implies, multiple pages within in it.With the code I am using, if the user disabled javascript, then he/she is redirected an "access denied" page. If the user tries to type in the URL to a page PAST the login page, then he/she is redirected to an "access denied" screen.I ultimately chose this particular script because I understand it, and it's easy to use it to protect multiple pages by simply adding 2 lines between the head tags.Right now I am the most worried about it being 100%, or at least 99.9999% usable by everyone without problems. Oh, and I'm note really interested in adding yet another table to my database for this cause... Quote Link to comment Share on other sites More sharing options...
Twentyoneth Posted April 29, 2006 Share Posted April 29, 2006 When you code in PHP no one can see your source, so if you have a page set for the password like so:password.php:[code]<?php$pass = "blahblah";?>[/code]Then for each of your password protected pages:[code]<?phpinclude("password.php"); \\adds the variable to your page, this way if you change the password, its only the one fileif($pass !== "blahblah") {redirection crap.... } else {rest of your page that is pass protected... }?>[/code] Quote Link to comment Share on other sites More sharing options...
mfaerber Posted April 29, 2006 Author Share Posted April 29, 2006 Thank you very much Twentyoneth, I played with your code a lot, and then led me in a whole bunch of different directions. Ultimately, I've come up with this little nugget using sessions. If I simply include this into all of the pages I want to protect, they'll be protected.Anyone see anything wrong with this code? It sure seems to work pretty well.[code]<?php session_start(); if ($_POST['username'] == 'XXX' and $_POST['password'] == 'YYY') $_SESSION['authorized'] = true; ?> <?php if (!$_SESSION['authorized']): ?> <form action="<?=$_SERVER['PHP_SELF']?>" method="POST"> <p>Username: <input type="text" name="username" /><br /> Password: <input type="password" name="password" /><br /> <input type="submit" /></p> </form><?php else: ?> <!-- Super-secret HTML content goes here --><?php endif; ?>[/code]Now I just need to perfect a "logout" button for it... Which I'm not excited about because of my dealings with trying to simply expire cookies... which have left mental scars... Quote Link to comment Share on other sites More sharing options...
Twentyoneth Posted April 29, 2006 Share Posted April 29, 2006 Your code is a bit edgy if you ask me, more hard to read and sift through, although I am a newb.[code]<?phpsession_start();if($_POST['username'] == 'XXX' & $_POST['password'] == 'YYY') { $_SESSION['authorized'] = true; }<?php if(!$_SESSION['authorized']): ?> <form action="<?=$_SERVER['PHP_SELF']?>" method="POST"> <p>Username: <input type="text" name="username" /><br /> Password: <input type="password" name="password" /><br /> <input type="submit" /> </p> </form><?php else: ?><!-- Super-secret HTML content goes here --><?php endif; ?>[/code]But, to log out, you could add this tid bit:[code]<?phpsession_start();if($_POST['logout']) { clear 'session' code... }if($_POST['username'] == 'XXX' & $_POST['password'] == 'YYY') { $_SESSION['authorized'] = true; }<?php if(!$_SESSION['authorized']): ?> <form action="<?=$_SERVER['PHP_SELF']?>" method="POST"> <p>Username: <input type="text" name="username" /><br /> Password: <input type="password" name="password" /><br /> <input type="submit" value="submit" name="submit" /> </p> </form><?php else: ?> <form action="<?=$_SERVER['PHP_SELF']?>" method="POST"> <input type="submit" value="logout" name="logout" /> </form><!-- Super-secret HTML content goes here --><?php endif; ?>[/code] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.