Solved

Password protect several html pages with php. User needs password only the first time.

Posted on 2009-07-10
14
313 Views
Last Modified: 2013-12-25
I'm whatever comes before newbie in php, but I need to protect 3 pages on a site in such a way that the user only needs to input the correct password once and thereafter can access the protected page without the password.  javascript protection is easy but of course any one who knows how to look at the source code can find the password immediately.

It doesn't matter if I do it as a login from the homepage with username and password that then makes the 3 pages viewable, or as a pop-up password prompt upon a user's attempt to access one of the pages. I don't think I need to use a database at the moment because it will be the same username and password for everyone.

But it would like it so that the user doesn't have to keep entering the password every time he wants to access a protected page.

In an ideal world the solution will consist of one simple php script and a few lines in the html page to activate that script.

I really need to have done this yesterday, so I'm hoping that there's someone who can get me squared away this afternoon.

Thanks!

John



0
Comment
Question by:gabrielPennyback
  • 8
  • 5
14 Comments
 
LVL 5

Expert Comment

by:dvz-
ID: 24828216
Here's a very basic/simple solution;  assumes  you have:  login.php as your gateway to the other protected pages.
#login.php

<?php 

  session_start();
 

  //set login variables

  $user = 'randomuser';

  $pass = '123asd';
 

  //check to see if form was submitted

  if(isset($_POST['submit'])) {

    //check to see if user and or password match

    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {

      //initialize session

      $_SESSION['allow'] = 'true';

    }

  }

      

  //if session exists, send to content page1.php

  if(isset($_SESSION['allow'])) {

    header ( 'Location: http://www.yoursite.com/page1.php' );

  }

  //continue printing login form

?>

<html>

<head>

</head>

<body>
 

<form action="<?=$_SERVER['PHP_SELF']?>" method="post">

<input type="text" name="user"/>

<input type="text" name="pass"/>

<input type="submit" name="submit"/>

</form>
 

</body>

</html>
 

  

#top of other pages

<?php

  session_start();

  //if session doesn't exist, redirect to login

  if(!isset($_SESSION['allow'])) {

    header ( 'Location: http://www.yoursite.com/login.php' );

  }

  //page info follows

?>

Open in new window

0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24828361
This looks great. My hope was that I could do it from my index.html.  If I can't do it from an index.html, can I then save my index.html  - as is more or less - as index.php? Or does it work so that when I click on a button - say "gallery" - on my homepage, it then brings  up the login.php?
Perhaps it will help you to advise me if you take a look at my site: http://livinatlevel5.us. Can I drive this script from my login on the top of the page?

Also where in the script do I name the pages that are to be protected, leaving other pages, if any, to be freely accessed?

Thanks!

John



0
 
LVL 5

Accepted Solution

by:
dvz- earned 500 total points
ID: 24829034
john

Sure...in that case...you would take the login form and have it's action="login.php".

Hope this helps
#index.html

<html>

<head>

</head>

<body>

 

<form action="login.php" method="post">

<input type="text" name="user"/>

<input type="text" name="pass"/>

<input type="submit" name="submit"/>

</form>

 

</body>

</html>
 

#login.php

<?php 

  session_start();

 

  //set login variables

  $user = 'randomuser';

  $pass = '123asd';

 

  //check to see if form was submitted

  if(isset($_POST['submit'])) {

    //check to see if user and or password match

    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {

      //initialize session

      $_SESSION['allow'] = 'true';

    }

  }

      

  //if session exists, send to content page1.php

  if(isset($_SESSION['allow'])) {

    header ( 'Location: http://www.yoursite.com/page1.php' );

  }

  else {

    header ( 'Location: http://www.yoursite.com/index.html' );

  }

?>

Open in new window

0
 
LVL 2

Expert Comment

by:abijelic
ID: 24830464
You can try as well if you have apach as a web server to create .htaccess  file .

You create txt file which you call  .htaccess and place it into directory you would like to  protect
AuthType Basic
AuthName "Password Required"
AuthUserFile /absolute/path/to/the/password/file

Then use the htpasswd comand from shell to create user and password and that is all
htpasswd  /absolute/path/to/the/password/file   username

That is the quickest and the easiest way... of course if your server is apache and supports .htaccess
0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832093
dvz, please forgive my denseness but here are 3 pages that I deduce I should have:

1) PwdTest.html
2) login.php
3) sorry.html ( the page I want to display if the username and/or pasword are wrong.)

What happens is that wther my username and password are right, wrong, or missing, clicking on submit takes me to page I'm trying to protect. In this case, "http://...events.html"

a) are my codes correct?
b) must the error page be a php Page?
c) or is there something else I'm doing wrong

Help!

John




PWDTEST.HTML:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>

<head>

<title>Password Test</title></head>

<body>

 

<form action="login.php" method="post">

<input type="text" name="user"/>

<input type="text" name="pass"/>

<input type="submit" name="submit"/>

</form>

 

</body>

</html>
 

LOGIN.PHP

<?php 

  session_start();

 

  //set login variables

  $user = 'user';

  $pass = 'pass';

 

  //check to see if form was submitted

  if(isset($_POST['submit'])) {

    //check to see if user and or password match

    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {

      //initialize session

      $_SESSION['allow'] = 'true';

    }

  }

      

  //if session exists, send to content page1.php

  if(isset($_SESSION['allow'])) {

    header ( 'Location: http://www.livinatlevel5.us/events.html' );

  }

  else {

    header ( 'Location: http://www.livinatlevel5.us/sorry.html' );

  }

?>
 

SORRY.HTML:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Untitled Document</title>

</head>
 

<body>
 

Sorry. You need a password to view the contents of the requested page.

</body>

</html>

Open in new window

0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832119
abijelic, I could switch this site over to my apache server, but you're going way too fast for me. I have a

1) What is the entire content of the .htaccess file? Is it this:
AuthType Basic
AuthName "Password Required"
AuthUserFile /absolute/path/to/the/password/file

2) is it in fact named .htaccess? Nothing before the dot?

3) <<< Then use the htpasswd comand from shell to create user and password  >>>
what do mean "shell"? Is shell a file? is "htpasswd command" a piece of code in that file? ???

4) <<< htpasswd  /absolute/path/to/the/password/file   username  >>>  Is this the "htpasswd command?

Please don't send me a link to a tutorial, because from my past experience I can rarely learn anything from a tutorial unless I already know how the thing works.

Please be as patient and as detailed as you can be with me.

Thanks,
John



0
 
LVL 5

Expert Comment

by:dvz-
ID: 24832177
John,

I know you asked for no tutorial - but I found a snipped that explains each line fairly well..  I'll paste that in a second.

1)  Yes.  That is sufficient for a basic .htaccess file.

2)  .htaccess  -  (dot)htaccess  is correct.  the (dot) as the first character symbolizes a hidden file in the linux/unix file system.

3)  Shell is a "terminal" where you interact with the system.  Think something similar to command prompt on windows.  You type commands and interact with the system via -command line interface-.

4) In a "shell" or "terminal" with apache installed, you would typically type:

htpasswd /absolute/path/to/file username

to call the command "htpasswd" passing the arguments "/absolute/path/to/file" and "username", allowing htpasswd to work it's magic.

now if you're server isn't apache based as it is, don't fret - you can use the php script and it'll work as well.  But typically there is a cost from switching from Windows based to Linux based, as far as I know.  If it's free and you don't need the services offered from windows, i.e. ASP.NET, etc, then the .htaccess method is the simplest route once you get familiar with it.


Now here's the link I found about .htaccess on other webservers.  Has a decent explanation.  But jump down to The Password .htaccess File heading.

http://www.wiscocomputing.com/articles/using_htaccess.htm
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832439
This is great help, dvz. (BTW, since my most recent post, I've actually been forcing myself to learn a little php from the ground up at w3schools and I have actually learned some stuff in the last 15 minutes, so good for me!)

Right now I have my files on my Windows server, so I,m glad to hear that I can continue there.
The cobwebs are starting to clear but I still need to understand more. Where on my windows server would the shell into which I type my commands be located?  To bring up the command prompt window in Vista, I just type "command prompt" in the search box and it comes up. How do I bring up the shell on my server. From what little research I've done I gather that the shell can be a perl script  (about which I know nothing yet) or even a php file. Is that correct?

I'm going to research some more while I'm waiting for your next answer.

Thanks!

John
0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24832489
As for the .htaccess file, I copied the 3 lines into notepad, saved it as .htaccess.txt, and uploaded it to the root folder of my site.  Is that the correct name or should it just be   htaccess ?

John
0
 
LVL 5

Expert Comment

by:dvz-
ID: 24833355
John.

just name it ".htaccess".  "htaccess" is the file extension.

As for the implementing it...here's a really good read that walks you through it, with images that help depict what's going on.

http://sniptools.com/vault/windows-apache-and-htaccess-authentication

Hope this helps!.
0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24845824
Okay I've got shell up and running on my remote linux apache server. I took a look at the link but I'm definitely going to need some help with the tutorial.

For example, if the root folder of my site is <<< http://discretedata.com/htdocs  >>>   and the folder i want to protect is named "secure" , then would the path be: http://discretedata.com/apache/htdocs/secure  OR just http://discretedata.com/htdocs/secure?  Or would the slashes be back slashes?

Next, where would I find or how would I create my "httpd.conf" file?  And what should it say?

And is this the right tree to be barking up? putting the private folders in their own protected folder? I can do that as it is already, but I want to do it in such a way that the user doesn't have to re-enter his login every time he leaves and returns to one of those pages.

If you can straighten me out on these things, I'd like to award you the points for this question, and carry on with a new question.

Thanks,
John
0
 
LVL 5

Expert Comment

by:dvz-
ID: 24845943
first I'll answer the last question.  htaccess should require the user to enter the password/username when a new instance of the site is started...requiring login only when the user tries accessing the files the first time that browser session.

now I'm going to assume that you have full access to this server.  If you don't, feel free to correct this line of thinking and i will try to accomodate.

httpd.conf is typically created in /etc/apache/ or /etc/apache2/
to get there in shell:  cd /etc/apache2

as for your secure folder...that depends on where the DocumentRoot of your website is located in.  One way to find this out is to create a little php file and upload it to the folder you want to secure; then run it.  It should tell you something like...

/var/www/example.com/htdocs/secure

or something.  that line above (whatever it returns) is you're ABSOLUTE path.

<?php echo $_SERVER['DOCUMENT_ROOT']; ?>

Open in new window

0
 
LVL 1

Author Comment

by:gabrielPennyback
ID: 24851159
Hi dvz, I'm having too much difficulty with shell, so let me award you points for this and then I will re-ask the question in different terms. What I've learned from talking to my host is that I can accomplish my goal with php only so I'm going to go that route and see how far I get.

Thanks,  

John
0
 
LVL 1

Author Closing Comment

by:gabrielPennyback
ID: 31602307
Thanks again
- John
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to dynamically set the form action using jQuery.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now