Easy way to password-protect php page

Question

I have a page I want to password-protect  I ve tried doing HTTP authentication  but for some reason it doesn t work on my hosting  Any other quick  and easy  way to do this  Thanks

User · Answer

This is a bit late but I wanted to reply in case anyone else came upon this page and found that the highest reply was a bit off. I have improved upon the system just a tad bit. Note, it is still not amazingly secure but it is an improvement.

First prepare your password salts file:

hash_generate.php:

 <?php

 $user = "Username"; // please replace with your user
 $pass = "Password"; // please replace with your passwd
 // two ; was missing

 $useroptions = ['cost' => 8,];
 $userhash    = password_hash($user, PASSWORD_BCRYPT, $useroptions);
 $pwoptions   = ['cost' => 8,];
 $passhash    = password_hash($pass, PASSWORD_BCRYPT, $pwoptions);

 echo $userhash;
 echo "<br />";
 echo $passhash;

 ?>

Take your output $userhash and $passhash and put them in two text files: user.txt and pass.txt, respectively. Others have suggested putting these text files away above public_html, this is a good idea but I just used .htaccess and stored them in a folder called "stuff"

.htaccess

 deny from all

Now no one can peek into the hash. Next up is your index.php:

index.php:

<?php
$user = ""; //prevent the "no index" error from $_POST
$pass = "";
if (isset($_POST['user'])) { // check for them and set them so
    $user = $_POST['user'];
}
if (isset($_POST['pass'])) { // so that they don't return errors
    $pass = $_POST['pass'];
}    

$useroptions = ['cost' => 8,]; // all up to you
$pwoptions   = ['cost' => 8,]; // all up to you
$userhash    = password_hash($user, PASSWORD_BCRYPT, $useroptions); // hash entered user
$passhash    = password_hash($pass, PASSWORD_BCRYPT, $pwoptions);  // hash entered pw
$hasheduser  = file_get_contents("stuff/user.txt"); // this is our stored user
$hashedpass  = file_get_contents("stuff/pass.txt"); // and our stored password


if ((password_verify($user, $hasheduser)) && (password_verify($pass,$hashedpass))) {

    // the password verify is how we actually login here
    // the $userhash and $passhash are the hashed user-entered credentials
    // password verify now compares our stored user and pw with entered user and pw

    include "pass-protected.php";

} else { 
    // if it was invalid it'll just display the form, if there was never a $_POST
    // then it'll also display the form. that's why I set $user to "" instead of a $_POST
    // this is the right place for comments, not inside html
    ?>  
    <form method="POST" action="index.php">
    User <input type="text" name="user"></input><br/>
    Pass <input type="password" name="pass"></input><br/>
    <input type="submit" name="submit" value="Go"></input>
    </form>
    <?php 
}

User · Answer

I would simply look for a   GET variable and redirect the user if it s not correct    lt  php  pass     GET  pass    if  pass     my-secret-password       header  Location  http   www staggeringbeauty com         gt    Now  if this page is located at say  http   example com secrets files php  You can now access it with  http   example com secrets files php pass my-secret-password Keep in mind that this isn t the most efficient or secure way  but nonetheless it is a easy and fast way   Also  I know my answer is outdated but someone else looking at this question may find it valuable

User · Answer

you can specify a password in your php code and only allow users that has the secret url   mywebsite com private php pass secret   in your file    lt  php      if isset   GET  pass    amp  amp    GET  pass     secret                 put your code here             else             echo  you re not allowed to access this page            gt

User · Answer

Some easy ways  Use Apache s digest authorization  Use lighttpd s digest authorization  Use php s header digest authorization    If you want you can also make it so only certain ip addresses can login      really easy with lighttpd  Update  I will post some examples soon  so don t vote down for no examples  i just need to get some down for this answer   If you want to use sessions the following is the best way to go     admin php session start    if    SESSION  AUTH        require once  login php     Do stuff  we are logged in      login php session start    if   REQUEST  username       user   amp  amp    REQUEST  password       pass         SESSION  AUTH     true  else   SESSION  AUTH     false    This logs you out if you visit this login script page without login details   if   SESSION  AUTH        require once  admin php     This method does not contain the examples for above but you seamed interested in this method  The other method examples are still to come  I have not got enough time to get it for apache or lighttpd settings and the php header auth  http   php net manual en features http-auth php Will do

User · Answer

lt  html gt   lt head gt     lt title gt Nick Benvenuti lt  title gt     lt link rel  icon  href  img xicon jpg  type  image x-icon   gt     lt link rel  stylesheet  href  CSS main css  gt     lt link rel  stylesheet  href  CSS normalize css  gt     lt script src  JS jquery-1 12 0 min js  type  text javascript  gt  lt  script gt   lt  head gt   lt body gt   lt div id  phplogger  gt     lt script type  text javascript  gt    function tester       window location href  admin php         function phpshower       document getElementById  phplogger   classList toggle  shower      document getElementById  phplogger   classList remove  hider          function phphider       document getElementById  phplogger   classList toggle  hider      document getElementById  phplogger   classList remove  shower         lt  script gt   lt  php    if  login  variable is filled out  send email   if  isset   REQUEST  login             Login info    passbox     REQUEST  login       password    blahblahyoudontneedtoknowmypassword        Login   if  passbox     password         Login response   echo   lt script text javascript gt  phphider     lt  script gt             gt   lt div align  center  margin-top  50px  gt   lt h1 gt Administrative Access Only lt  h1 gt   lt h2 gt Log In  lt  h2 gt    lt form method  post  gt    Password   lt input name  login  type  text    gt  lt br   gt     lt input type  submit  value  Login  id  submit-button    gt     lt  form gt   lt  div gt   lt  div gt   lt div align  center  gt   lt p gt Welcome to the developers and admins page  lt  p gt   lt  div gt   lt  body gt   lt  html gt    Basically what I did here is make a page all in one php file where when you enter the password if its right it will hide the password screen and bring the stuff that protected forward  and then heres the css which is a crucial part because it makes the classes that hide and show the different parts of the page       PHP CONTENT STARTS HERE      hider     visibility hidden    display none          shower     visibility visible          phplogger     background-color  333    color blue    position absolute    height 100     width 100     margin 0    top 0    bottom 0          PHP CONTENT ENDS HERE

User · Answer

Not the solution  but for your interest  HTTP authentication only works  when PHP runs as Apache module  Most hosters provide PHP as CGI version only

User · Answer

lt  php  username    the username here    password    the password here    nonsense    supercalifragilisticexpialidocious    if  isset   COOKIE  PrivatePageLogin          if    COOKIE  PrivatePageLogin      md5  password  nonsense       gt        lt  -- LOGGED IN CONTENT HERE -- gt    lt  php       exit       else         echo  Bad Cookie          exit          if  isset   GET  p     amp  amp    GET  p       login        if    POST  user       username          echo  Sorry  that username does not match          exit       else if    POST  keypass       password          echo  Sorry  that password does not match          exit       else if    POST  user       username  amp  amp    POST  keypass       password          setcookie  PrivatePageLogin   md5   POST  keypass    nonsense          header  Location    SERVER PHP SELF          else         echo  Sorry  you could not be logged in at this time             gt    And the login form on the page     On the same page  right below the above  posted code    lt form action   lt  php echo   SERVER  PHP SELF      gt  p login  method  post  gt   lt label gt  lt input type  text  name  user  id  user    gt  Name lt  label gt  lt br   gt   lt label gt  lt input type  password  name  keypass  id  keypass    gt  Password lt  label gt  lt br   gt   lt input type  submit  id  submit  value  Login    gt   lt  form gt

User · Answer

A simple way to protect a file with no requirement for a separate login page - just add this to the top of the page   Change secretuser and secretpassword to your user password    user     POST  user     pass     POST  pass     if    user     secretuser   amp  amp   pass     secretpassword          echo   lt html gt  lt body gt  lt form method  POST  action      SERVER  REQUEST URI      gt              Username   lt input type  text  name  user  gt  lt  input gt  lt br  gt              Password   lt input type  password  name  pass  gt  lt  input gt  lt br  gt               lt input type  submit  name  submit  value  Login  gt  lt  input gt               lt  form gt  lt  body gt  lt  html gt        exit

User · Answer

This helped me a lot and save me much time  its easy to use  and work well  i ve even take the risque of change it and it still works   Fairly good if you dont want to lost to much time on doing it     http   www zubrag com scripts password-protect php

User · Answer

Here s a very simple way  Create two files  protect-this php  lt  php        Your password         password    MYPASS        if  empty   COOKIE  password         COOKIE  password        password               Password not set or incorrect  Send to login php          header  Location  login php            exit          gt   login php   lt  php        Your password         password    MYPASS           Redirects here after login         redirect after login    index php           Will not ask password again for         remember password   strtotime   30 days       30 days      if  isset   POST  password     amp  amp    POST  password       password            setcookie  quot password quot    password   remember password           header  Location       redirect after login           exit          gt   lt  DOCTYPE html gt   lt html gt   lt head gt       lt title gt Password protected lt  title gt   lt  head gt   lt body gt       lt div style  quot text-align center margin-top 50px  quot  gt          You must enter the password to view this content           lt form method  quot POST quot  gt               lt input type  quot text quot  name  quot password quot  gt           lt  form gt       lt  div gt   lt  body gt   lt  html gt   Then require protect-this php on the TOP of the files you want to protect     Password protect this content require once  protect-this php     Example result   After filling the correct password  user is taken to index php  The password is stored for 30 days  PS  It s not focused to be secure  but to be pratical  A hacker can brute-force this  Use it to keep normal users away  Don t use it to protect sensitive information

User · Answer

Not exactly the most robust password protection here  so please don t use this to protect credit card numbers or something very important   Simply drop all of the following code into a file called  secure php   change the user and pass from  admin  to whatever you want  Then right under those lines where it says include  secure html    simply replace that with the filename you want them to be able to see   They will access this page at  YouDomain com secure php  and then the PHP script will internally include the file you want password protected so they won t know the name of that file  and can t later just access it directly bypassing the password prompt   If you would like to add a further level of protection  I would recommend you take your  secure html  file outside of your site s root folder   public html   and place it on the same level as that directory  so that it is not inside the directory  Then in the PHP script where you are including the file simply use      secure html    That       means go back a directory to find the file  Doing it this way  the only way someone can access the content that s on the  secure html  page is through the  secure php  script    lt  php  user     POST  user     pass     POST  pass     if  user     admin   amp  amp   pass     admin             include  secure html      else       if isset   POST          gt                lt form method  POST  action  secure php  gt              User  lt input type  text  name  user  gt  lt  input gt  lt br  gt              Pass  lt input type  password  name  pass  gt  lt  input gt  lt br  gt               lt input type  submit  name  submit  value  Go  gt  lt  input gt               lt  form gt       lt        gt

[php] Easy way to password-protect php page

Examples related to php

Examples related to password-protection