Hi everyone (newbie :p ).

I've just created a login page for a website and I want this to link to an offers page that can only be accessed by members only, who have been given a password prior to visiting the website.

I've looked on www.javascript.com and there is an 8 line piece of code that enables you to do this, but not in the way I want.
This code brings up a pop-up password box that, once verified, sends you to the appropriate page.

My login page already has a form which has a login box and a submit button.

Help :)

Well you can use the below code, however I do not recommend using it if you are not going to encrypt the code because of the unsecure nature of it. I would recommend using ASP myself, and I'm sure some of the other folks could recommend another secure way to perform the transaction also.

But until then here is what you asked for:

<html>
<head>
<title>Logon Page</title>
<script LANGUAGE="JavaScript">

function LogOn()
{
var bCorrectLogonName = false;
var bCorrectPassword = false;

if (document.all.item("txtName").value == "TotallyUnsecure")
{
bCorrectLogonName = true;
}
if (document.all.item("txtPassword").value == "EveryoneCanSeeMyPassword")
{
bCorrectPassword = true;
}
if ((bCorrectLogonName == true) && (bCorrectPassword == true))
{
window.location = "http://forums.webdeveloper.com/";
}
}
</script>
</head>
<body>

<center>
<form id=form1 name=form1>
<table BORDER="0" CELLPADDING="2" CELLSPACING="0">
<tr>
<td ALIGN="right">Name:</td>
<td><input TYPE="text" NAME="txtName" VALUE="" SIZE="20"></td>
</tr>
<tr>
<td ALIGN="right">Password:</td>
<td><input TYPE="password" NAME="txtPassword" VALUE="" SIZE="20"></td>
</tr>
<tr>
<td ALIGN="center" COLSPAN="2"><input type=button value="Log On" id=submit1 name=submit1 OnClick="LogOn()"></td>
</tr>
</table>
</form>
</center>

</body>
</html>

Why is it not secure? Is it because you can view the source code which contains the password?

How would I go about using asp? I assume I would insert javascript into an asp page?

Thanks :)

It is not secure because the user can see the code through view source as you mentioned. ASP is more secure because the user cannot see the code. You can connect to a database to confirm the user name and password (great for individualized data), or hard code it (this way becomes more of a pain unless you use a generic logon name and password). Before you use ASP you will need to make sure that wherever you are housing your project allows for ASP code though. Just in case you did not know ASP code has a ".asp" extension rather than a ".html" or ".htm".

Here is how you would do it in asp:

<%@ Language=VBScript %>
<%
If Request.Form("txtName") <> "" AND Request.Form("txtPassword") <> "" Then
s_name = Trim(Request.Form("txtName"))
s_password = Trim(Request.Form("txtPassword"))

If s_name = "SecureLogon" AND s_password = "SecureLogon" Then
Response.Redirect "http://forums.webdeveloper.com/"
End If
ElseIf Request.Form("hidExecute") <> "" Then
s_error = "Please enter a name and a password. "
End If

%>
<html>
<head>
<title>Logon Page</title>
</head>
<body>
<%
If s_error <> "" Then
Response.Write "<font color='red'>" & s_error & "</font><br>"
End If
%>
<center>
<form ID="form1" NAME="form1" ACTION="asp_logon.asp" METHOD="post">
<table BORDER="0" CELLPADDING="2" CELLSPACING="0">
<tr>
<td ALIGN="right">Name:</td>
<td><input TYPE="text" NAME="txtName" VALUE="" SIZE="20"></td>
</tr>
<tr>
<td ALIGN="right">Password:</td>
<td><input TYPE="password" NAME="txtPassword" VALUE="" SIZE="20"></td>
</tr>
<tr>
<td ALIGN="center" COLSPAN="2">
<input TYPE="submit" NAME="Submit" VALUE="Log On">
<input TYPE="hidden" NAME="hidExecute" VALUE="Execute">
</td>
</tr>
</table>
</form>
</center>

</body>
</html>

Or, you could use PHP. You could us Md5 encryption to protect the username/password. If you are interested, let me know and I'll write up some code for you. Like ASP, PHP requires a special extention -- only it's .php.

Thanks guys thats great.

So basically put that code into an .asp page then. The server does have asp support too :)

So I dont need to create any external database in MS Access or anything do I?

I dont want a load of users stored in a database with different logins and passwords, I just want a single password (no login) that people are given to access the page I have created.

As long as you use an individual logon and/or password (or a list you can generate) you do not need the database.

Now if you are ready to go a step further you can add a Session variable and check the session state at the top of every page behind the password to confirm that the user hasn't bypassed the password page with a direct link. If the password was bypassed the page will redirect the user to the logon page without allowing the user to see the page.

I noticed I left out some information on the asp code sample. I have updated it, so be sure to check it out.

pyro,

Does php require server modifications to perform, or does it work with any web server?

Originally posted by Beldale
Does php require server modifications to perform, or does it work with any web server? No, it requires a PHP interpreter, but then, in my experience, it is harder to find a host the allows ASP than PHP.

Great info, thanks :D

Looks like I'll be hanging out on this forum for a little while longer :p ;) :)

Ok guys - ive done that asp page with the code, now what do I do?

If everything is there and it works properly, the next step you can take is to add a session variable and check for the session variable on the internal pages.

Well it looks like the server isnt asp after all, its a Unix one!

Can anyone help me out with some PHP code?

Sorry for the hassle. If I cant sort this I'll have to ask the ISP if they will do a password entry system :(

Here's some code for you...

Your Form...
<form method="post" action="passwordreader.php">
<table>
<tr><td><b class=rng>Username:</b></td><td>&nbsp;</td><td><input type="text" name="username"></td></tr>
<tr><td><b class=rng>Password:</b></td><td>&nbsp;</td><td><input type="password" name="password"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" value=" Submit "></td></tr>
</table>
</form>

And, passwordreader.php...<?PHP

$user = 'yourencryptedusername';
$pass = 'yourencryptedpassword';
if(md5($username) == $user && md5($password) == $pass)
{
setcookie ("verified", true);
header ("Location:http://www.yoursite.com/dir/page.htm");
}
else
{
echo ("Incorrect Password");
}
?>

Now make this file and name it protect.php<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back;
if (!isset($verified)) { die($acc_denied); }
if (!$verified) { die($acc_denied); }

?>

Now, insert this on the top of all your pages...<? include_once("protect.php"); ?>

And, lastly, make a file named encrypter.php and use it to make your username and password, which you will insert in passwordreader.php...<?PHP
if ($showvalues)
{
echo 'User: ' . md5($username);
echo '<br>Password: ' . md5($password);
}
?>

<form method="get" action="encrypter.php">
<table>
<tr><td><b class=rng>Username:</b></td><td>&nbsp;</td><td><input type="text" name="username"></td></tr>
<tr><td><b class=rng>Password:</b></td><td>&nbsp;</td><td><input type="text" name="password"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" value=" Submit " name="showvalues"></td></tr>
</table>
</form>

Whew...That's a lot of code... :D If you need any help, let me know. Remember to rename pages to .php...

Wow.... amazing :eek: :)

A couple of VERY basic questions though (as I am knew to all this).

Where do I insert this into an htm page (I am using dreamweaver)? Or do I just delete all the html and insert the php code and rename the htm file to .php?

Should I put these files into a new folder within the site files on the server or just put them in the same area as the index.htm file?

Cheers muchly :D

Originally posted by NickATRvtec
Where do I insert this into an htm page (I am using dreamweaver)? Or do I just delete all the html and insert the php code and rename the htm file to .php?In Dreamweaver, go to file>new then click Dynamic Page and choose PHP.

Originally posted by NickATRvtec
Should I put these files into a new folder within the site files on the server or just put them in the same area as the index.htm file?I would, but it is totally up to you. If you are trying to password protect you whole site, than I wouldn't, but if you just want a password protected directory, Then, yes, I'd put these files inside the directory.

A couple of comments to clear up some possibly misleading comments.
To run active server pages you don't need an "asp server". Active Server Pages is a Microsoft technology that will run on any Microsoft Server or Workstation running IIS (Internet Information Server) or PWS (Personal Web Server). So you can host a web site on virtually any box running Windows. Some company makes a bit of software (whose name escapes me) that will run ASP on unix boxes.

So, when someone said "it is harder to find a host the allows ASP than PHP" I cannot understand it. There are, quite literally, thousands of ISPs offering hosting on Windows NT Servers running Active Server Pages. I believe that, when considering whether to use a technology, it's a good idea to look around at how many other people are using it. Again there are who knows how many millions of database driven web sites using ASP - including, of course, Microsoft's own support site. As a result there is a huge skills base - so if you need help, or need to hire someone - it is easy to find people with the necessary skills.

Ok thanks, that makes a bit more sense now :)

When I click file->new it doesnt give me the option of choosing a dynamic PHP page so is it alright to open an htm file, delete the code, insert PHP code and rename to .PHP?

What parameters will I need to change in the PHP code to suit my site (password etc)

By the way, I just want a password authorisation so where do I take the login bit out of the code to de-activate it?

Thankyou!

Originally posted by NickATRvtec
so is it alright to open an htm file, delete the code, insert PHP code and rename to .PHP? Yes, that will be fine.

Originally posted by NickATRvtec
What parameters will I need to change in the PHP code to suit my site (password etc)Just the lines marked here....

<?PHP
$user = 'yourencryptedusername';
$pass = 'yourencryptedpassword';
if(md5($username) == $user && md5($password) == $pass)
{
setcookie ("verified", true);
header ("Location:http://www.yoursite.com/dir/page.htm");
}
else
{
echo ("Incorrect Password");
}
?>

Originally posted by NickATRvtec
By the way, I just want a password authorisation so where do I take the login bit out of the code to de-activate it?I'm not sure what you mean...Do you just want to see if a password that they enter _is_ a password? If so, you won't need most of the code I gave you...

Originally posted by Webskater
So, when someone said "it is harder to find a host the allows ASP than PHP"Well, IMO, it is easer to find a *nix host than a NT/2000 one.

Originally posted by Webskater
I believe that, when considering whether to use a technology, it's a good idea to look around at how many other people are using it.True. And I'd say that that majority falls on PHP.

Thanks.

Basically, members will be given a password by letter (such as 'monkey') and then they will enter this password and have access to the members-only page.

So you want to remove the username?

Originally posted by pyro
Well, IMO, it is easer to find a *nix host than a NT/2000 one.

True. And I'd say that that majority falls on PHP.

With regard to the first, I think that was true 5 or 6 years ago. Now, ASP is so simple and accessible, many ISPs that only used to offer Unix based servers, now also offer NT and Windows 2000 servers. And, there are thousands of ISPs that only offer Windows based solutions.

With regard to the second - I know we all view the world from within our own particular speciality - but, I can honestly say that for every 20 sites I see with a .asp suffix I only see one with a .php
Also, sites that I regard as serious sites - banks, share trading sites etc all seem to run on ASP or JSP

Originally posted by Webskater
I know we all view the world from within our own particular specialityHow true...

Originally posted by Webskater
but, I can honestly say that for every 20 sites I see with a .asp suffix I only see one with a .phpI think that is a matter of seeing what we want to see, becuase I honestly think I see far more .php than .asp. :D

Originally posted by Webskater
Also, sites that I regard as serious sites - banks, share trading sites etc all seem to run on ASP or JSPI would possibly agree with you on that one...It does seem like when I do see .asp it is on those kinds of site...

Sorry if I didnt mention that in the first place, yes I want just a username.

If its easier to do... excellent!

If I'm understanding you correctly, what you will need to do is change this

<?PHP

$user = 'yourencryptedusername';
$pass = 'yourencryptedpassword';
if(md5($username) == $user && md5($password) == $pass)
{
setcookie ("verified", true);
header ("Location:http://www.yoursite.com/dir/page.htm");
}
else
{
echo ("Incorrect Password");
}
?>to this<?PHP

$user = 'yourencryptedusername';
if(md5($username) == $user)
{
setcookie ("verified", true);
header ("Location:http://www.yoursite.com/dir/page.htm");
}
else
{
echo ("Incorrect Password");
}
?>

Wouldnt you delete the username part, rather than the password part (or doesnt it matter which one you delete?).

Originally posted by NickATRvtec
Wouldnt you delete the username part,Yes, if you want the password. The reason I deleted the password is in your previous post you said:

Originally posted by NickATRvtec
yes I want just a username.:D

Woah, stresses of work!

Didnt even realise I had typed 'username' as opposed to what I mean to type which was 'password' :rolleyes: :p :D

Cheers for the help, you truly are LeiLou arent you ;)

I'll probably be back in a day or two when it isnt working :p :rolleyes: ;)

One more question please :rolleyes: :)

Do I have to rename ALL htm pages in my site to .php?

Cheers :D

Just had a test of the login.php page online. Tried typing in the password and submitting and it came up with 'HTTP 405 - Resource not allowed, page cannot be displayed'

:( Whats wrong :confused:

Originally posted by NickATRvtec
Do I have to rename ALL htm pages in my site to .php?Yes, because you need to add <? include_once("protect.php"); ?> to all pages (to prevent them from being called directly from the web).


Originally posted by NickATRvtec
Tried typing in the password and submitting and it came up with 'HTTP 405 - Resource not allowed, page cannot be displayed'Are you sure your server supports PHP? If so, then you probably did something wrong with the password. Did you use encrypter.php to check what you needed to add into the login page for the password? Since it is encrypted, it will only work if you encrypt it first. If you enter test, it should be something like 098f6bcd4621d373cade4e832627b4f6

OK thanks,

Yes the server definately is Unix/PHP.

What do I need to do with the encrypter.php page? I simply copied and pasted what you wrote but didnt change anything :(

You need to run encrypter.php. :D

That file will give you the encrypted password. Then you can take the output from that file and insert it in your login page here...

$pass = 'outputhere';

oh... hehe, I thought I could use my own password :p

How do I 'run' encrypter.php?

Actually you will be using your own password. Just an encrypted version of it. So when you type your password in on your login page, it will be whatever you typed into encrypter.php.

To run encrypter.php, upload it to your server and run it from there. Something like http://www.yourdomain.com/scripts/encrypter.php or whatever...

Ok I ran encrypter.php and it had a little password box and a submit button.

What do I do?

Sorry for being really basic here :o

In encrypter.php you will see two input areas and a submit button. Insert your desired password into the input area labed password. Now, hit submit and it will give you the encoded password for your login page.

Ahhhh, I tried that and nothing happened :(

Try this...I know that one works. lol :D

http://www.infinitypages.com/scripts/encrypter.php

Yeah your one works fine, brings up a long line of characters :)

With mine, nothing happens :mad:

That would lead me to think that you either don't have PHP on your server, or didn't name the file to .php. I can send you the file, if you would like to try it...

I'm starting to think the same thing too :(

If you send the file to nick@schoolzone.co.uk that would be great :)

It's on it's way, along with a phpinfo() script...

I have done all that you said with the php here, but I can still access the page by typing in the url. The login for the page I'm working on is www.websitedesigns.cc/SoSporty/Login.html and the page where a successful login goes is www.websitedesigns.cc/SoSporty/mainpage.php (presently blank/pink)
What else must I do? I have the protect.php file on the server, the passwordreader.php, and the code at the top of the mainpage.html...did I put that code in the right place? I want anyone trying to get into the mainpage.php and other wholesale price pages to get bumped to the Login.html page. Does the Login page need to be .PHP?
Thanks.
allenrubin@socal.rr.com

www.websitedesigns.cc/SoSporty/mainpage.php gives me an access denied... So, what else do you need?

It wasn't working for me last night, but it works for me now. Thanks. You are definitely a life saver!!!!!:D

Glad it is working for you... ;)