?
Solved

Password protect several html pages with php. User needs password only the first time.

Posted on 2009-07-10
14
Medium Priority
?
340 Views
Last Modified: 2013-12-25
I'm whatever comes before newbie in php, but I need to protect 3 pages on a site in such a way that the user only needs to input the correct password once and thereafter can access the protected page without the password.  javascript protection is easy but of course any one who knows how to look at the source code can find the password immediately.

It doesn't matter if I do it as a login from the homepage with username and password that then makes the 3 pages viewable, or as a pop-up password prompt upon a user's attempt to access one of the pages. I don't think I need to use a database at the moment because it will be the same username and password for everyone.

But it would like it so that the user doesn't have to keep entering the password every time he wants to access a protected page.

In an ideal world the solution will consist of one simple php script and a few lines in the html page to activate that script.

I really need to have done this yesterday, so I'm hoping that there's someone who can get me squared away this afternoon.

Thanks!

John



0
Comment
Question by:gabrielPennyback
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
14 Comments
 
LVL 5

Expert Comment

by:dvz-
ID: 24828216
Here's a very basic/simple solution;  assumes  you have:  login.php as your gateway to the other protected pages.
#login.php
<?php 
  session_start();
 
  //set login variables
  $user = 'randomuser';
  $pass = '123asd';
 
  //check to see if form was submitted
  if(isset($_POST['submit'])) {
    //check to see if user and or password match
    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {
      //initialize session
      $_SESSION['allow'] = 'true';
    }
  }
      
  //if session exists, send to content page1.php
  if(isset($_SESSION['allow'])) {
    header ( 'Location: http://www.yoursite.com/page1.php' );
  }
  //continue printing login form
?>
<html>
<head>
</head>
<body>
 
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="text" name="user"/>
<input type="text" name="pass"/>
<input type="submit" name="submit"/>
</form>
 
</body>
</html>
 
  
#top of other pages
<?php
  session_start();
  //if session doesn't exist, redirect to login
  if(!isset($_SESSION['allow'])) {
    header ( 'Location: http://www.yoursite.com/login.php' );
  }
  //page info follows
?>

Open in new window

0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24828361
This looks great. My hope was that I could do it from my index.html.  If I can't do it from an index.html, can I then save my index.html  - as is more or less - as index.php? Or does it work so that when I click on a button - say "gallery" - on my homepage, it then brings  up the login.php?
Perhaps it will help you to advise me if you take a look at my site: http://livinatlevel5.us. Can I drive this script from my login on the top of the page?

Also where in the script do I name the pages that are to be protected, leaving other pages, if any, to be freely accessed?

Thanks!

John



0
 
LVL 5

Accepted Solution

by:
dvz- earned 2000 total points
ID: 24829034
john

Sure...in that case...you would take the login form and have it's action="login.php".

Hope this helps
#index.html
<html>
<head>
</head>
<body>
 
<form action="login.php" method="post">
<input type="text" name="user"/>
<input type="text" name="pass"/>
<input type="submit" name="submit"/>
</form>
 
</body>
</html>
 
#login.php
<?php 
  session_start();
 
  //set login variables
  $user = 'randomuser';
  $pass = '123asd';
 
  //check to see if form was submitted
  if(isset($_POST['submit'])) {
    //check to see if user and or password match
    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {
      //initialize session
      $_SESSION['allow'] = 'true';
    }
  }
      
  //if session exists, send to content page1.php
  if(isset($_SESSION['allow'])) {
    header ( 'Location: http://www.yoursite.com/page1.php' );
  }
  else {
    header ( 'Location: http://www.yoursite.com/index.html' );
  }
?>

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:abijelic
ID: 24830464
You can try as well if you have apach as a web server to create .htaccess  file .

You create txt file which you call  .htaccess and place it into directory you would like to  protect
AuthType Basic
AuthName "Password Required"
AuthUserFile /absolute/path/to/the/password/file

Then use the htpasswd comand from shell to create user and password and that is all
htpasswd  /absolute/path/to/the/password/file   username

That is the quickest and the easiest way... of course if your server is apache and supports .htaccess
0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832093
dvz, please forgive my denseness but here are 3 pages that I deduce I should have:

1) PwdTest.html
2) login.php
3) sorry.html ( the page I want to display if the username and/or pasword are wrong.)

What happens is that wther my username and password are right, wrong, or missing, clicking on submit takes me to page I'm trying to protect. In this case, "http://...events.html"

a) are my codes correct?
b) must the error page be a php Page?
c) or is there something else I'm doing wrong

Help!

John




PWDTEST.HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Password Test</title></head>
<body>
 
<form action="login.php" method="post">
<input type="text" name="user"/>
<input type="text" name="pass"/>
<input type="submit" name="submit"/>
</form>
 
</body>
</html>
 
LOGIN.PHP
<?php 
  session_start();
 
  //set login variables
  $user = 'user';
  $pass = 'pass';
 
  //check to see if form was submitted
  if(isset($_POST['submit'])) {
    //check to see if user and or password match
    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {
      //initialize session
      $_SESSION['allow'] = 'true';
    }
  }
      
  //if session exists, send to content page1.php
  if(isset($_SESSION['allow'])) {
    header ( 'Location: http://www.livinatlevel5.us/events.html' );
  }
  else {
    header ( 'Location: http://www.livinatlevel5.us/sorry.html' );
  }
?>
 
SORRY.HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
 
<body>
 
Sorry. You need a password to view the contents of the requested page.
</body>
</html>

Open in new window

0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832119
abijelic, I could switch this site over to my apache server, but you're going way too fast for me. I have a

1) What is the entire content of the .htaccess file? Is it this:
AuthType Basic
AuthName "Password Required"
AuthUserFile /absolute/path/to/the/password/file

2) is it in fact named .htaccess? Nothing before the dot?

3) <<< Then use the htpasswd comand from shell to create user and password  >>>
what do mean "shell"? Is shell a file? is "htpasswd command" a piece of code in that file? ???

4) <<< htpasswd  /absolute/path/to/the/password/file   username  >>>  Is this the "htpasswd command?

Please don't send me a link to a tutorial, because from my past experience I can rarely learn anything from a tutorial unless I already know how the thing works.

Please be as patient and as detailed as you can be with me.

Thanks,
John



0
 
LVL 5

Expert Comment

by:dvz-
ID: 24832177
John,

I know you asked for no tutorial - but I found a snipped that explains each line fairly well..  I'll paste that in a second.

1)  Yes.  That is sufficient for a basic .htaccess file.

2)  .htaccess  -  (dot)htaccess  is correct.  the (dot) as the first character symbolizes a hidden file in the linux/unix file system.

3)  Shell is a "terminal" where you interact with the system.  Think something similar to command prompt on windows.  You type commands and interact with the system via -command line interface-.

4) In a "shell" or "terminal" with apache installed, you would typically type:

htpasswd /absolute/path/to/file username

to call the command "htpasswd" passing the arguments "/absolute/path/to/file" and "username", allowing htpasswd to work it's magic.

now if you're server isn't apache based as it is, don't fret - you can use the php script and it'll work as well.  But typically there is a cost from switching from Windows based to Linux based, as far as I know.  If it's free and you don't need the services offered from windows, i.e. ASP.NET, etc, then the .htaccess method is the simplest route once you get familiar with it.


Now here's the link I found about .htaccess on other webservers.  Has a decent explanation.  But jump down to The Password .htaccess File heading.

http://www.wiscocomputing.com/articles/using_htaccess.htm
0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832439
This is great help, dvz. (BTW, since my most recent post, I've actually been forcing myself to learn a little php from the ground up at w3schools and I have actually learned some stuff in the last 15 minutes, so good for me!)

Right now I have my files on my Windows server, so I,m glad to hear that I can continue there.
The cobwebs are starting to clear but I still need to understand more. Where on my windows server would the shell into which I type my commands be located?  To bring up the command prompt window in Vista, I just type "command prompt" in the search box and it comes up. How do I bring up the shell on my server. From what little research I've done I gather that the shell can be a perl script  (about which I know nothing yet) or even a php file. Is that correct?

I'm going to research some more while I'm waiting for your next answer.

Thanks!

John
0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832489
As for the .htaccess file, I copied the 3 lines into notepad, saved it as .htaccess.txt, and uploaded it to the root folder of my site.  Is that the correct name or should it just be   htaccess ?

John
0
 
LVL 5

Expert Comment

by:dvz-
ID: 24833355
John.

just name it ".htaccess".  "htaccess" is the file extension.

As for the implementing it...here's a really good read that walks you through it, with images that help depict what's going on.

http://sniptools.com/vault/windows-apache-and-htaccess-authentication

Hope this helps!.
0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24845824
Okay I've got shell up and running on my remote linux apache server. I took a look at the link but I'm definitely going to need some help with the tutorial.

For example, if the root folder of my site is <<< http://discretedata.com/htdocs  >>>   and the folder i want to protect is named "secure" , then would the path be: http://discretedata.com/apache/htdocs/secure  OR just http://discretedata.com/htdocs/secure?  Or would the slashes be back slashes?

Next, where would I find or how would I create my "httpd.conf" file?  And what should it say?

And is this the right tree to be barking up? putting the private folders in their own protected folder? I can do that as it is already, but I want to do it in such a way that the user doesn't have to re-enter his login every time he leaves and returns to one of those pages.

If you can straighten me out on these things, I'd like to award you the points for this question, and carry on with a new question.

Thanks,
John
0
 
LVL 5

Expert Comment

by:dvz-
ID: 24845943
first I'll answer the last question.  htaccess should require the user to enter the password/username when a new instance of the site is started...requiring login only when the user tries accessing the files the first time that browser session.

now I'm going to assume that you have full access to this server.  If you don't, feel free to correct this line of thinking and i will try to accomodate.

httpd.conf is typically created in /etc/apache/ or /etc/apache2/
to get there in shell:  cd /etc/apache2

as for your secure folder...that depends on where the DocumentRoot of your website is located in.  One way to find this out is to create a little php file and upload it to the folder you want to secure; then run it.  It should tell you something like...

/var/www/example.com/htdocs/secure

or something.  that line above (whatever it returns) is you're ABSOLUTE path.

<?php echo $_SERVER['DOCUMENT_ROOT']; ?>

Open in new window

0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24851159
Hi dvz, I'm having too much difficulty with shell, so let me award you points for this and then I will re-ask the question in different terms. What I've learned from talking to my host is that I can accomplish my goal with php only so I'm going to go that route and see how far I get.

Thanks,  

John
0
 
LVL 1

Author Closing Comment

by:gabrielPennyback
ID: 31602307
Thanks again
- John
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question