The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
PHP5 - PHP Password protection
Discuss PHP Password protection in the PHP Development forum on Dev Shed.
PHP Password protection PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
March 11th, 2013, 09:23 AM
|
|
Registered User
|
|
Join Date: Mar 2013
Posts: 1
Time spent in forums: 8 m 10 sec
Reputation Power: 0
|
|
|
PHP5 - PHP Password protection
Hello,
I am trying to password protect a website that i am making, and have successfully done so using Zubrags password protect script. I want to slightly modify the script so that depending on what password a user enters, a different version of the site will be displayed. My knowledge of PHP (unfortunately) is fairly limited, i can decipher code and write a little, but cannot work out how to successfully implement what i want to achieve.
I have modified the script thus far and have now run in to a problem with the cookies, in that i dont think the cookie is being set properly.
Due to my lack of PHP I also cannot work out how to implement the feature of entering a different password will lead you to a different version of the site....
Here is the code:
Code:
<?php
##################################################################
# SETTINGS START
##################################################################
$LOGIN_INFORMATION = array(
'default'
);
define('TIMEOUT_MINUTES', 15);
define('TIMEOUT_CHECK_ACTIVITY', true);
##################################################################
# SETTINGS END
##################################################################
// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);
if(!function_exists('showLoginPasswordProtect')) {
// show login form
function showLoginPasswordProtect($error_msg) {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "(URL address blocked: See forum rules)">
<html xmlns="(URL address blocked: See forum rules)">
<head>
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">
<meta http-equiv="PRAGMA" content="NO-CACHE">
<meta name="robots" content="noindex" />
<title>Please Login</title>
<link href="style.css" rel="stylesheet" type="text/css" />
<link href="fonts.css" rel="stylesheet" type="text/css" />
<link href="scripts/style.css" rel="stylesheet" type="text/css" />
<link href="scripts/fonts.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="errorholder">
<h1>Please enter the password <br/> to access this site</h1><br/>
<form name="form" method="post">
<p class="bluetext"><?php echo $error_msg; ?> </p>
<input type="password" title="password" name="access_password" /></p><br/>
<p><input type="submit" name="submit" value="Valider" /></p>
</form>
</div>
</body>
</html>
<?php
// stop at this point
die();
}
}
// user provided password
if (isset($_POST['access_password'])) {
$pass = $_POST['access_password'];
if (!in_array($pass, $LOGIN_INFORMATION)
)
{
showLoginPasswordProtect("Incorrect Password");
}
else {
// set cookie if password was validated
setcookie("verify", md5($pass), $timeout, '/');
unset($_POST['access_password']);
unset($_POST['Submit']);
}
}
else {
// check if password cookie is set
if (!isset($_COOKIE['verify'])) {
showLoginPasswordProtect("");
}
// check if cookie is good
$found = false;
if ($_COOKIE['verify'] == md5($pass)) {
$found = true;
// prolong timeout
if (TIMEOUT_CHECK_ACTIVITY) {
setcookie("verify", md5($pass), $timeout, '/');
}
break;
}
}
if (!$found) {
showLoginPasswordProtect("");
}
?>
With regards to adding the different version of the site, i believe i need to add some if statements such as the following:
Code:
if (($_POST == $LOGIN_INFORMATION1 ))
{
Header("Location:pagename01.php");
exit();
}
if($_POST == $LOGIN_INFORMATION2)
{
Header("Location:pagename02.php");
exit();
}
I am extremely lost and confused and my severe lack of PHP knowledge has got me stuck. I know its a big ask, but if anyone can help or point me in the right direction i would be ever so grateful!
Kind regards
Matt
|
March 11th, 2013, 09:52 AM
|
 |
Contributing User
|
|
Join Date: Dec 2012
Location: Chicago
Posts: 49
Time spent in forums: 17 h 27 m 23 sec
Reputation Power: 1
|
|
|
I think you should be very uncomfortable with the very concept of using a password for anything except security!
I suggest a third [optional] field on the sign on screen. Or, perhaps, a menu page that is displayed after the sign on.
|
March 11th, 2013, 11:54 AM
|
 |
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
|
So you want to have one username with multiple passwords? What happens if you implement a "forgot password" feature?
__________________
HEY! YOU! Read the New User Guide and Forum Rules
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
|
March 11th, 2013, 12:49 PM
|
 |
Lost in code
|
|
|
|
Quote: | So you want to have one username with multiple passwords? What happens if you implement a "forgot password" feature? |
It doesn't look like the script has usernames. I think it's more of a PIN system rather than an authentication system; ie: enter your PIN to see your own information.
|
March 11th, 2013, 04:25 PM
|
 |
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Hi,
I'm sorry to tell you, but the script you downloaded is garbage -- which is pretty surprising for such a simple task. Unfortunately, this is a very common issue of this kind of "code for free" sites. Most of what you'll find is either terrible or hopelessly outdated or both.
What the hell is storing the password hash in the cookie supposed to do? All this does is waste CPU power. It's pretty much the "good" old plaintext passwords with a lot of snake oil on top of it: - The password hash is the password in this scheme. An attacker doesn't have to know the original passwords residing on your server, all he/she needs in order to authenticate is the derived password in the cookie.
- Hashing the passwords on the server each time a user tries to authenticate is completely useless. Why not hash the passwords once and for all? Does the Zubrag guy/gal not know that the output is always the same? Or is this a poor attempt of trying to hide the fact that it's a plaintext password system?
You know what? Throw this nonsense away and write your own script using actual security. It's not difficult: - Generate some strong random passwords using a tool like KeePass.
- Generate a separate random session ID, which you can regularly change while keeping the passwords. If you have only few users or access to a database, generate a new session ID for each login. This allows you to increase security by setting a timeout limit and letting users logout (the standard techniques we all know from sites like this forum).
- Of course none of this protects against password sharing. So change your passwords regularly.
Trust me, you can do better than this Zubrag.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
