How to Password Protect Folder/Page Using PHP Without a Db or Username

  • Home
  • Languages
  • PHP
  • How to Password Protect Folder/Page Using PHP Without a Db or Username

What is the best way to password protect folder/page using php without a db or username

Edit: SHA1 is no longer considered secure. Stored password hashes should also be salted. There are now much better solutions to this problem.

You could use something like this:

//access.php

<?php
//put sha1() encrypted password here - example is 'hello'
$password = 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d';

session_start();
if (!isset($_SESSION['loggedIn'])) {
    $_SESSION['loggedIn'] = false;
}

if (isset($_POST['password'])) {
    if (sha1($_POST['password']) == $password) {
        $_SESSION['loggedIn'] = true;
    } else {
        die ('Incorrect password');
    }
} 

if (!$_SESSION['loggedIn']): ?>

<html><head><title>Login</title></head>
  <body>
    <p>You need to login</p>
    <form method="post">
      Password: <input type="password" name="password"> <br />
      <input type="submit" name="submit" value="Login">
    </form>
  </body>
</html>

<?php
exit();
endif;
?>

Then on each file you want to protect, put at the top:

<?php
require('access.php');
?>
secret text

It isn't a very nice solution, but it might do what you want

Edit

You could add a logout.php page like:

<?php
    session_start();
    $_SESSION['loggedIn'] = false;
?>
You have logged out

Password protect a page without db access with php

Sure, why not? You can use flat files in inaccessible directory (protected by .htaccess or out of the www root) and use that as a database.

Here's a simple login class I've whipped up:

class SimpleLogin {

    private $users;
    private $db = './pass.txt';

    function __construct() {
        $data = file_get_contents($this->db);

        if (!$data) {
           die('Can\'t open db');
        } else {
            $this->users = unserialize($data);
        }
    }

    function save() {
        if (file_put_contents($this->db, serialize($this->users)) === false)
            die('Couldn\'t save data');
    }

    function authenticate($user, $password) {
        return $this->users[$user] == $this->hash($password);
    }

    function addUser($user, $password) {
        $this->users[$user] = $this->hash($password);
        $this->save();
    }

    function removeUser($user) {
        unset($this->users[$user]);
        $this->save();
    }

    function userExists($user) {
        return array_key_exists($user, $this->users);
    }

    function userList() {
        return array_keys($this->users);
    }

    // you can change the hash function and salt here
    function hash($password) {
        $salt = 'jafo2ijr02jfsau02!)U(jf';
        return sha1($password . $salt);
    }

}

NOTE: You really should turn off error reporting if you are going to use this in an actual server. This can be done by calling error_reporting() or by adding '@' in front of file_get_contents and file_put_contents (ie: so it turns into @file_get_contents)

Usage example: http://left4churr.com/login/

password protected directory in php

It's difficult to help without knowing how you log people in (you must do so you at least know they're logged in and which user they are)
I'm going to assume a basic login system.

The way I do it is basic login.php page, if login successful set some basic sessions (no password, username or sensitive info) and set their user level (so you can manage what they can access)

eg, if login = successful:

$_SESSION['loggedin']['userlevel'] = $FromDatabase['userlevel'];

Then in an include file which is included in every page (header.php or config.php)
I have (my config.php is before any headers/browser out put sent etc)

  if (!isset($_SESSION))
    {
      session_start();
    }

    $strUserLevel = false;

    if (isset($_SESSION['loggedin']['userlevel']))
      {
        $strUserLevel = $_SESSION['loggedin']['userlevel'];
      }

Then I can use this throughout the site to control their access, :

    if($strUserLevel == false)
      {
        header("location: login.php");
        die();
      }
    //or wherever you want to redirect them
    //or just say you need to be logged in to view this, link to login page (etc)

  if ($strUserlevel < 3) // or whatever level they need for this page
    {
      echo "You cannot edit this page";
      exit();
    }
  else
    {
      //a form or whatever
    }

The above is just basic examples. My code is a bit more complex as I always use config.php in includes and set global variables to use site wide there, and have a basic login check function (checks their current IP matches the one I checked at login time and stored in DB and other things etc).

Another method of permission control is using mysql tables. So if you have TABLE tblEditPageAB, anyone who's name is in in a row in that table can edit that page.
Though this is more used for admin control, ie you have tblAdministrateOtherUsers - again anyone who has their name/details in a row in that table can administrate the other users (or whatever)

To check this you just simply query, and if no results they can't.

Again, the best approach all depends on your site, scenario, how many page syou have to be edited, if they're created on the fly, etc.
There are all manner of approaches, but hopefully I've given you food for thought, and helped :)

Simple .htaccess password generation / update using PHP without database

  1. You could run apache's htpasswd on the command line via system() or exec(). This way you're sure that you are using the correct password generation method.
  2. Do it yourself in pure php with file() and explode and use crypt to hash the passwords.

Password protecting a webpage with PHP

You can't change the 5th line to "hello" cause the provided code aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d already means "hello" after the sha1 process of encripting security. Or: maintain the code provided and you will see "hello" working.

Best way to password protect a folder?

Create .htaccess With basic authentication (running from web browser).
You must create users and password file. You may fing many maunals on web about it.
For example: http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/


Related Topics

How to Iterate Over Non-English File Names in PHP

Strange Behaviour with Numbers That Have a Leading Zero

PHP Upload, Extract and Progressbar

MySQL Error: 1364 Field 'Display_Name' Doesn't Have Default Value

Auto Increment in PHPmyadmin

How to Use Preg_Replace_Callback

Directory Index Forbidden by Options Directive

Class 'Mongoclient' Not Found

How to Check If an Uploaded File Is an Image Without Mime Type

MySQL Select Query Within a Serialized Array

Avoiding Form Resubmit in PHP When Pressing F5

Find Number of Open Sessions

How to Show a Where Clause Just for One Field in MySQL

.Rar, .Zip Files Mime Type

Custom Laravel Validation Messages

Php/Regex: How to Get the String Value of HTML Tag

Installing PHP Zip Extension

Remove Index.Phproute=Common/Home from Opencart


Leave a reply



Submit