#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    1
    Rep Power
    0

    PHP Password protection


    Hello,

    I am trying to password protect a website that i am making, and have successfully done so using Zubrags password protect script. I want to slightly modify the script so that depending on what password a user enters, a different version of the site will be displayed. My knowledge of PHP (unfortunately) is fairly limited, i can decipher code and write a little, but cannot work out how to successfully implement what i want to achieve.

    I have modified the script thus far and have now run in to a problem with the cookies, in that i dont think the cookie is being set properly.

    Due to my lack of PHP I also cannot work out how to implement the feature of entering a different password will lead you to a different version of the site....

    Here is the code:

    Code:
    <?php
    
    ##################################################################
    #  SETTINGS START
    ##################################################################
    
    $LOGIN_INFORMATION = array(
      'default'
    );
    
    define('TIMEOUT_MINUTES', 15);
    
    define('TIMEOUT_CHECK_ACTIVITY', true);
    
    ##################################################################
    #  SETTINGS END
    ##################################################################
    
    // timeout in seconds
    $timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);
    
    
    if(!function_exists('showLoginPasswordProtect')) {
    
    // show login form
    function showLoginPasswordProtect($error_msg) {
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "(URL address blocked: See forum rules)">
    <html xmlns="(URL address blocked: See forum rules)">
    
    <head>
    
    <meta http-equiv="CACHE-CONTROL" content="NO-CACHE">
    <meta http-equiv="PRAGMA" content="NO-CACHE">
    <meta name="robots" content="noindex" />
    <title>Please Login</title>
    
    <link href="style.css" rel="stylesheet" type="text/css" />
    <link href="fonts.css" rel="stylesheet" type="text/css" />
    <link href="scripts/style.css" rel="stylesheet" type="text/css" />
    <link href="scripts/fonts.css" rel="stylesheet" type="text/css" />
    
    </head>
    
    <body>
    
    	<div id="errorholder">
      
      		<h1>Please enter the password <br/> to access this site</h1><br/>
    	
    			<form name="form" method="post"> 
    				<p class="bluetext"><?php echo $error_msg; ?>&nbsp;</p>
    				<input type="password" title="password" name="access_password" /></p><br/>
    				<p><input type="submit" name="submit" value="Valider" /></p>    
    			</form>
    		
    	</div>
    	
    </body>
    
    </html>
    
    <?php
      // stop at this point
      die();
    }
    }
    
    // user provided password
    if (isset($_POST['access_password'])) {
    
      $pass = $_POST['access_password'];
      if (!in_array($pass, $LOGIN_INFORMATION)
      )
      {
        showLoginPasswordProtect("Incorrect Password");
      }
      else {
        // set cookie if password was validated
        setcookie("verify", md5($pass), $timeout, '/');
        
        unset($_POST['access_password']);
        unset($_POST['Submit']);
      }
    
    }
    
    else {
    
      // check if password cookie is set
      if (!isset($_COOKIE['verify'])) {
        showLoginPasswordProtect("");
      }
    
      // check if cookie is good
      $found = false;
        if ($_COOKIE['verify'] == md5($pass)) {
          $found = true;
          // prolong timeout
          if (TIMEOUT_CHECK_ACTIVITY) {
            setcookie("verify", md5($pass), $timeout, '/');
          }
          break;
        }
      }
      if (!$found) {
        showLoginPasswordProtect("");
      }
    
    ?>
    With regards to adding the different version of the site, i believe i need to add some if statements such as the following:

    Code:
    if (($_POST == $LOGIN_INFORMATION1 )) 
    { 
    Header("Location:pagename01.php"); 
    exit(); 
    } 
    
    if($_POST == $LOGIN_INFORMATION2) 
    { 
    Header("Location:pagename02.php"); 
    exit(); 
    }
    I am extremely lost and confused and my severe lack of PHP knowledge has got me stuck. I know its a big ask, but if anyone can help or point me in the right direction i would be ever so grateful!

    Kind regards

    Matt
  2. #2
  3. Old Fart
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Location
    Chicago
    Posts
    106
    Rep Power
    4
    I think you should be very uncomfortable with the very concept of using a password for anything except security!

    I suggest a third [optional] field on the sign on screen. Or, perhaps, a menu page that is displayed after the sign on.
  4. #3
  5. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,850
    Rep Power
    6351
    So you want to have one username with multiple passwords? What happens if you implement a "forgot password" feature?
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  6. #4
  7. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    So you want to have one username with multiple passwords? What happens if you implement a "forgot password" feature?
    It doesn't look like the script has usernames. I think it's more of a PIN system rather than an authentication system; ie: enter your PIN to see your own information.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    I'm sorry to tell you, but the script you downloaded is garbage -- which is pretty surprising for such a simple task. Unfortunately, this is a very common issue of this kind of "code for free" sites. Most of what you'll find is either terrible or hopelessly outdated or both.

    What the hell is storing the password hash in the cookie supposed to do? All this does is waste CPU power. It's pretty much the "good" old plaintext passwords with a lot of snake oil on top of it:
    • The password hash is the password in this scheme. An attacker doesn't have to know the original passwords residing on your server, all he/she needs in order to authenticate is the derived password in the cookie.
    • Hashing the passwords on the server each time a user tries to authenticate is completely useless. Why not hash the passwords once and for all? Does the Zubrag guy/gal not know that the output is always the same? Or is this a poor attempt of trying to hide the fact that it's a plaintext password system?


    You know what? Throw this nonsense away and write your own script using actual security. It's not difficult:
    • Generate some strong random passwords using a tool like KeePass.
    • Generate a separate random session ID, which you can regularly change while keeping the passwords. If you have only few users or access to a database, generate a new session ID for each login. This allows you to increase security by setting a timeout limit and letting users logout (the standard techniques we all know from sites like this forum).
    • Of course none of this protects against password sharing. So change your passwords regularly.


    Trust me, you can do better than this Zubrag.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo