How to Password-Protect PHP Page

Basic PHP password protected webpage

Code here: http://pastebin.com/j16kfGD6

PHP Page password protection

You have to check first if the password has been submitted in your with function.

// this has to be checked first
// added isset to check if its existing

if( isset($_SESSION[$session_key]) && $_SESSION[$session_key] ) return;
    ^-------------------------------^

if( isset($_POST['password']) && $_POST['password'] == $password ) {
    ^--------------------------^
    ...
}

Full password protected website

Thats not the way to approach this.

First make use of a session, but only hold a isLoggedIn flag in the session not the password.

Second, all scripts can be in the public_html folder, but what you do is add a little script that checks the loggedIn state to all scripts and if not loggedIn throw the login page

Heres a simple example

login_check.php

<?php
    session_start();
    if ( ! isset($_SESSION['loggedIn']) || $_SESSION['loggedIn'] == 0) {
        header('Location: login.php');
        exit;
    }

Now in your login script

login.php

<?php
    session_start();
    if ( isset($_SESSION['loggedIn'] && $_SESSION['loggedIn'] == 1) {
        // already logged in
        header('Location: index.php.php');  // or some other page
        exit;
    }

    If ( "The password is correct" ) {   // this is of course pseudo code
        $_SESSION['loggedIn'] = 1;
        header('Location: somepage.php');
        exit;
    } else {
        unset($_SESSION['loggedIn']);
        header('Location: login.php');
        exit;
    }
?>

Now in all your other scripts

<?php
    // first thing is always to check if this user is logged in
    // so any access from a user not yet logged in just get
    // thrown to the login page, or maybe your index.php
    require_once 'login_check.php';

You can also use this session to hold useful but not sensitive things like

$_SESSION['user_id'];   // id of the users info in user table
$_SESSION['FirstName'];
$_SESSION['LastName'];
$_SESSION['nickname'];

and anything else that might be useful to know across your application that you dont want to go to the database each time to collect.

Additional info

Your HTML is not well formed

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="UTF-8">
   <title>Page Title</title>
</head>
<body>
<form role="form" method="POST" style="margin: 0px" action="index.php">
   <input type="password" name ="pass" class="form-control" id="pwd" />  
   <input type="submit" name="login" class="btn btn-danger" value="Login" />
</form>
</body>
</html>

Password protecting a webpage with PHP

You can't change the 5th line to "hello" cause the provided code aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d already means "hello" after the sha1 process of encripting security. Or: maintain the code provided and you will see "hello" working.

What is the best way to password protect folder/page using php without a db or username

Edit: SHA1 is no longer considered secure. Stored password hashes should also be salted. There are now much better solutions to this problem.

You could use something like this:

//access.php

<?php
//put sha1() encrypted password here - example is 'hello'
$password = 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d';

session_start();
if (!isset($_SESSION['loggedIn'])) {
    $_SESSION['loggedIn'] = false;
}

if (isset($_POST['password'])) {
    if (sha1($_POST['password']) == $password) {
        $_SESSION['loggedIn'] = true;
    } else {
        die ('Incorrect password');
    }
} 

if (!$_SESSION['loggedIn']): ?>

<html><head><title>Login</title></head>
  <body>
    <p>You need to login</p>
    <form method="post">
      Password: <input type="password" name="password"> <br />
      <input type="submit" name="submit" value="Login">
    </form>
  </body>
</html>

<?php
exit();
endif;
?>

Then on each file you want to protect, put at the top:

<?php
require('access.php');
?>
secret text

It isn't a very nice solution, but it might do what you want

Edit

You could add a logout.php page like:

<?php
    session_start();
    $_SESSION['loggedIn'] = false;
?>
You have logged out

Multiple password Protect Php for a single user

If I understand correctly, user has to enter 4 different passwords, so you can use session to remember each stage like followings:

<?php
session_start();
$error = false;
if (!isset($_SESSION['login'])) {

    $stage = (isset($_SESSION['stage']))? $_SESSION['stage'] : 0;
    $stage_labels = array(
        'First',
        'Second',
        'Third',
        'Final'
    );

    $passwords = array(
        '111',
        '222',
        '333',
        '444'
    );

    if (isset($_POST['password']) && $_POST['password'] == $passwords[$stage]) {

        if ($stage == 3) {
            // if the final password matches, create a session variable for login
            $_SESSION['login'] = 'loggedin';
            header('location: ' . $_SERVER['PHP_SELF']);
            exit();
        } else {
            // if password matches the respective stage, increase the value of stage by 1 to move on to next stage
            $_SESSION['stage'] = $stage + 1;
            header('location: ' . $_SERVER['PHP_SELF']);
            exit();
        }

    } elseif (isset($_POST['password'])) {
        $error = true;
        // if form submitted with mismatch password, stage will restart from 0 again
        print '<p align="center"><font color="red"><b>Incorrect Code entered</b><br>Please enter the correct code or contact Administrator</font></p>';
        $_SESSION['stage'] = 0;

    }

    if (!$error) {
        print '<p>Please enter your '. $stage_labels[$stage].' password</p>';
    }

    print '<form method="post"><p align="center"><h2>Please enter code to intiate transfer</h2><br>';
    print '<input name="password" type="password" maxlength="10"><input value="Authenticate" type="submit"></p></form>';

} else {
    echo 'You have logged in';
}
?>

PHP password protected page cookie

Your requirement is a very classical practice. You can read a tutorial here: http://www.phpnerds.com/article/using-cookies-in-php/2

Notes:

  • Compare hash to hash
  • Never save your plain-text password in a cookie
  • More secure: don't save hashed passwords in cookies like the tutorial.
    Just store a session hashed code and using a DB table session to map
    it with the user's sessions.

Hope it helps.


Related Topics

Org.JSON.JSONexception: Value <Br of Type Java.Lang.String Cannot Be Converted to JSONobject

Generating Random Numbers from Skewed Normal Distribution

Understanding Imagemagick's Convert and Translating to Ruby Rmagick

How to Compare 2 HTML Pages, and Output Only the Different Bits in Ruby or PHP

What Ocr Options Exist Beyond Tesseract

How to Convert HTML to Bbcode

Clean Urls for Search Query

How to Display an Blob Image Stored in MySQL Database

Laravel 4 Custom Named Password Column

PHP - Processing Invalid Xml

PHP Number Format

Function Eregi() Is Deprecated

How to Change the Woocommerce_Form_Field HTML Structure

Warning: MySQL_Result() Expects Parameter 1 to Be Resource, Boolean Given

Display Output in Parts in PHP

How to Do Multiple SQL Statements in One MySQL_Query

How to Construct a Cross Database Query in PHP

Why Session Object Destruction Failed


Leave a reply



Submit