Password protect several html pages with php. User needs password only the first time.

I'm whatever comes before newbie in php, but I need to protect 3 pages on a site in such a way that the user only needs to input the correct password once and thereafter can access the protected page without the password.  javascript protection is easy but of course any one who knows how to look at the source code can find the password immediately.

It doesn't matter if I do it as a login from the homepage with username and password that then makes the 3 pages viewable, or as a pop-up password prompt upon a user's attempt to access one of the pages. I don't think I need to use a database at the moment because it will be the same username and password for everyone.

But it would like it so that the user doesn't have to keep entering the password every time he wants to access a protected page.

In an ideal world the solution will consist of one simple php script and a few lines in the html page to activate that script.

I really need to have done this yesterday, so I'm hoping that there's someone who can get me squared away this afternoon.

Thanks!

John



LVL 1
John CarneyReliability Business Tools Analyst IIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dvz-Commented:
Here's a very basic/simple solution;  assumes  you have:  login.php as your gateway to the other protected pages.
#login.php
<?php 
  session_start();
 
  //set login variables
  $user = 'randomuser';
  $pass = '123asd';
 
  //check to see if form was submitted
  if(isset($_POST['submit'])) {
    //check to see if user and or password match
    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {
      //initialize session
      $_SESSION['allow'] = 'true';
    }
  }
      
  //if session exists, send to content page1.php
  if(isset($_SESSION['allow'])) {
    header ( 'Location: http://www.yoursite.com/page1.php' );
  }
  //continue printing login form
?>
<html>
<head>
</head>
<body>
 
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="text" name="user"/>
<input type="text" name="pass"/>
<input type="submit" name="submit"/>
</form>
 
</body>
</html>
 
  
#top of other pages
<?php
  session_start();
  //if session doesn't exist, redirect to login
  if(!isset($_SESSION['allow'])) {
    header ( 'Location: http://www.yoursite.com/login.php' );
  }
  //page info follows
?>

Open in new window

0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
This looks great. My hope was that I could do it from my index.html.  If I can't do it from an index.html, can I then save my index.html  - as is more or less - as index.php? Or does it work so that when I click on a button - say "gallery" - on my homepage, it then brings  up the login.php?
Perhaps it will help you to advise me if you take a look at my site: http://livinatlevel5.us. Can I drive this script from my login on the top of the page?

Also where in the script do I name the pages that are to be protected, leaving other pages, if any, to be freely accessed?

Thanks!

John



0
dvz-Commented:
john

Sure...in that case...you would take the login form and have it's action="login.php".

Hope this helps
#index.html
<html>
<head>
</head>
<body>
 
<form action="login.php" method="post">
<input type="text" name="user"/>
<input type="text" name="pass"/>
<input type="submit" name="submit"/>
</form>
 
</body>
</html>
 
#login.php
<?php 
  session_start();
 
  //set login variables
  $user = 'randomuser';
  $pass = '123asd';
 
  //check to see if form was submitted
  if(isset($_POST['submit'])) {
    //check to see if user and or password match
    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {
      //initialize session
      $_SESSION['allow'] = 'true';
    }
  }
      
  //if session exists, send to content page1.php
  if(isset($_SESSION['allow'])) {
    header ( 'Location: http://www.yoursite.com/page1.php' );
  }
  else {
    header ( 'Location: http://www.yoursite.com/index.html' );
  }
?>

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

abijelicCommented:
You can try as well if you have apach as a web server to create .htaccess  file .

You create txt file which you call  .htaccess and place it into directory you would like to  protect
AuthType Basic
AuthName "Password Required"
AuthUserFile /absolute/path/to/the/password/file

Then use the htpasswd comand from shell to create user and password and that is all
htpasswd  /absolute/path/to/the/password/file   username

That is the quickest and the easiest way... of course if your server is apache and supports .htaccess
0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
dvz, please forgive my denseness but here are 3 pages that I deduce I should have:

1) PwdTest.html
2) login.php
3) sorry.html ( the page I want to display if the username and/or pasword are wrong.)

What happens is that wther my username and password are right, wrong, or missing, clicking on submit takes me to page I'm trying to protect. In this case, "http://...events.html"

a) are my codes correct?
b) must the error page be a php Page?
c) or is there something else I'm doing wrong

Help!

John




PWDTEST.HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Password Test</title></head>
<body>
 
<form action="login.php" method="post">
<input type="text" name="user"/>
<input type="text" name="pass"/>
<input type="submit" name="submit"/>
</form>
 
</body>
</html>
 
LOGIN.PHP
<?php 
  session_start();
 
  //set login variables
  $user = 'user';
  $pass = 'pass';
 
  //check to see if form was submitted
  if(isset($_POST['submit'])) {
    //check to see if user and or password match
    if ($_POST['user'] == $user && $_POST['pass'] == $pass) {
      //initialize session
      $_SESSION['allow'] = 'true';
    }
  }
      
  //if session exists, send to content page1.php
  if(isset($_SESSION['allow'])) {
    header ( 'Location: http://www.livinatlevel5.us/events.html' );
  }
  else {
    header ( 'Location: http://www.livinatlevel5.us/sorry.html' );
  }
?>
 
SORRY.HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
 
<body>
 
Sorry. You need a password to view the contents of the requested page.
</body>
</html>

Open in new window

0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
abijelic, I could switch this site over to my apache server, but you're going way too fast for me. I have a

1) What is the entire content of the .htaccess file? Is it this:
AuthType Basic
AuthName "Password Required"
AuthUserFile /absolute/path/to/the/password/file

2) is it in fact named .htaccess? Nothing before the dot?

3) <<< Then use the htpasswd comand from shell to create user and password  >>>
what do mean "shell"? Is shell a file? is "htpasswd command" a piece of code in that file? ???

4) <<< htpasswd  /absolute/path/to/the/password/file   username  >>>  Is this the "htpasswd command?

Please don't send me a link to a tutorial, because from my past experience I can rarely learn anything from a tutorial unless I already know how the thing works.

Please be as patient and as detailed as you can be with me.

Thanks,
John



0
dvz-Commented:
John,

I know you asked for no tutorial - but I found a snipped that explains each line fairly well..  I'll paste that in a second.

1)  Yes.  That is sufficient for a basic .htaccess file.

2)  .htaccess  -  (dot)htaccess  is correct.  the (dot) as the first character symbolizes a hidden file in the linux/unix file system.

3)  Shell is a "terminal" where you interact with the system.  Think something similar to command prompt on windows.  You type commands and interact with the system via -command line interface-.

4) In a "shell" or "terminal" with apache installed, you would typically type:

htpasswd /absolute/path/to/file username

to call the command "htpasswd" passing the arguments "/absolute/path/to/file" and "username", allowing htpasswd to work it's magic.

now if you're server isn't apache based as it is, don't fret - you can use the php script and it'll work as well.  But typically there is a cost from switching from Windows based to Linux based, as far as I know.  If it's free and you don't need the services offered from windows, i.e. ASP.NET, etc, then the .htaccess method is the simplest route once you get familiar with it.


Now here's the link I found about .htaccess on other webservers.  Has a decent explanation.  But jump down to The Password .htaccess File heading.

http://www.wiscocomputing.com/articles/using_htaccess.htm
0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
This is great help, dvz. (BTW, since my most recent post, I've actually been forcing myself to learn a little php from the ground up at w3schools and I have actually learned some stuff in the last 15 minutes, so good for me!)

Right now I have my files on my Windows server, so I,m glad to hear that I can continue there.
The cobwebs are starting to clear but I still need to understand more. Where on my windows server would the shell into which I type my commands be located?  To bring up the command prompt window in Vista, I just type "command prompt" in the search box and it comes up. How do I bring up the shell on my server. From what little research I've done I gather that the shell can be a perl script  (about which I know nothing yet) or even a php file. Is that correct?

I'm going to research some more while I'm waiting for your next answer.

Thanks!

John
0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
As for the .htaccess file, I copied the 3 lines into notepad, saved it as .htaccess.txt, and uploaded it to the root folder of my site.  Is that the correct name or should it just be   htaccess ?

John
0
dvz-Commented:
John.

just name it ".htaccess".  "htaccess" is the file extension.

As for the implementing it...here's a really good read that walks you through it, with images that help depict what's going on.

http://sniptools.com/vault/windows-apache-and-htaccess-authentication

Hope this helps!.
0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
Okay I've got shell up and running on my remote linux apache server. I took a look at the link but I'm definitely going to need some help with the tutorial.

For example, if the root folder of my site is <<< http://discretedata.com/htdocs  >>>   and the folder i want to protect is named "secure" , then would the path be: http://discretedata.com/apache/htdocs/secure  OR just http://discretedata.com/htdocs/secure?  Or would the slashes be back slashes?

Next, where would I find or how would I create my "httpd.conf" file?  And what should it say?

And is this the right tree to be barking up? putting the private folders in their own protected folder? I can do that as it is already, but I want to do it in such a way that the user doesn't have to re-enter his login every time he leaves and returns to one of those pages.

If you can straighten me out on these things, I'd like to award you the points for this question, and carry on with a new question.

Thanks,
John
0
dvz-Commented:
first I'll answer the last question.  htaccess should require the user to enter the password/username when a new instance of the site is started...requiring login only when the user tries accessing the files the first time that browser session.

now I'm going to assume that you have full access to this server.  If you don't, feel free to correct this line of thinking and i will try to accomodate.

httpd.conf is typically created in /etc/apache/ or /etc/apache2/
to get there in shell:  cd /etc/apache2

as for your secure folder...that depends on where the DocumentRoot of your website is located in.  One way to find this out is to create a little php file and upload it to the folder you want to secure; then run it.  It should tell you something like...

/var/www/example.com/htdocs/secure

or something.  that line above (whatever it returns) is you're ABSOLUTE path.

<?php echo $_SERVER['DOCUMENT_ROOT']; ?>

Open in new window

0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
Hi dvz, I'm having too much difficulty with shell, so let me award you points for this and then I will re-ask the question in different terms. What I've learned from talking to my host is that I can accomplish my goal with php only so I'm going to go that route and see how far I get.

Thanks,  

John
0
John CarneyReliability Business Tools Analyst IIAuthor Commented:
Thanks again
- John
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.