Hi everyone,

I'm a fresh web designer and I'm trying to put up my portfolio web site, but there is a section on the site that I don't want people to access without a password. I found this free script but it seems to show the password right in the script when you view the source. It there any way to hide the password? Any help would be appreciated. Thanks!

<SCRIPT LANGUAGE="JavaScript">
function LogIn(){
loggedin=false;
username="";
password="";
username=prompt("Username:","");
username=username.toLowerCase();
password=prompt("Password:","");
password=password.toLowerCase();
if (username=="guest" && password=="login") {
loggedin=true;
window.location="home-page.html";
}
if (username=="guest2" && password=="login2") {
loggedin=true;
window.location="secure.html";
}
if (loggedin==false) {
alert("Invalid login!");
}
}
</SCRIPT>

Here's some code for you to try out...

Your login form...

<form method="post" action="passwordreader.php">
<table>
<tr><td><b class=rng>Username:</b></td><td> </td><td><input type="text" name="username"></td></tr>
<tr><td><b class=rng>Password:</b></td><td> </td><td><input type="password" name="password"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" value=" Submit "></td></tr>
</table>
</form>

And now make passwordreader.php:

passwordreader.php
<?PHP

# Change the below lines to the results that makepass.php gave you
#
$user = 'yourencryptedusername';
$pass = 'yourencryptedpassword';
#
# Change the above lines to the results that makepass.php gave you

if(md5($_POST['username']) == $user && md5($_POST['password']) == $pass)
{
setcookie ("verified", true);
header ("Location:http://www.yoursite.com/dir/page.htm");
}
else
{
echo ("Incorrect Password");
}
?>

Now make this file and name it protect.php

protect.php
<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($_COOKIE["verified"])) { die($acc_denied); }

?>

Now, insert this at the very top of all your pages...

<? include_once("protect.php"); ?>

And, lastly, make a file named makepass.php and use it to make your username and password, which you will insert in passwordreader.php... Once you have made the encrypted usernames/passwords, you can remove from your server.

makepass.php
<?PHP
if ($_POST['showvalues'])
{
echo 'User: ' . md5($_POST['username']);
echo '<br>Password: ' . md5($_POST['password']);
}
?>

<form method="post" action="makepass.php">
<table>
<tr><td><b class=rng>Username:</b></td><td>&nbsp;</td><td><input type="text" name="username"></td></tr>
<tr><td><b class=rng>Password:</b></td><td>&nbsp;</td><td><input type="text" name="password"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" value=" Submit " name="showvalues"></td></tr>
</table>
</form>

If you need any help, let me know. Remember to rename pages that are being password protected to .php...

Thanks pyro! I'll try it out.

I did okay up until the part where you have to insert that line at the very top of all my pages.

Does that go on all the php pages I created or on the protected pages?

Also how do I generate the encrypted username and password using the encrypter.php.

Sorry it's my first time using php

Originally posted by colourcube
Does that go on all the php pages I created or on the protected pages?It goes on the pages you wish to protect, which need to be renamed to .php...

Originally posted by colourcube
Also how do I generate the encrypted username and password using the encrypter.php.You just type the username/password in and hit submit. It will show you the generated username/password on the page. If you can't get it to work, us this: http://www.infinitypages.com/scripts/encrypter.php

thanks pyro. youre the best

What if I don't have .php support?...what do I do then?...and I DON'T want the username function

You pick some other serverside language...

what about getting rid of the username...sorry...i'm not yet familiar with PHP coding yet...

nevermind about the username thing...I can just make it so that it is on the page...or maybe there is a way to put the username into the box automatically?

now...I just need to figure out how to get the redirect script to work...or maybe I can use a cookie? thanx for the great help!:D ;) :cool: :) :p

hey pyro, all that script seems to work, sort of, but...

i create a username and password using the makepass.php, then with the code it gives me, i put that into passwordreader.php. now when i got to my index page and type in the username and password [not the massive line of code, just like the words i chose] it goes to the page i want it to [encript.php that kinda thing] but says 'access denied'. i know it works cos if i just type any old password it says 'incorrect password' so the passwordreader it recognising that ive typed the right password, but it wont let me view the page, its just like typing in the address '...ltd.uk/encript.php'. somehow the browser needs to sort of unlock the encript.php so i can see the page normally but know that ive typed the correct password. i think it might be something to do with this bit in the passwordreader.php...
'...{
setcookie ("verified", true);
header ("Location:encript.php"); ***<-- this bit***
}
else....'

im not sure tho
also when u say 'it goes at the very top of the pages' do u mean like this...

so this is the encript.php
'<? include_once("protect.php"); ?>


<html>
<head>
<title>User Area</title>
<style>....'


thanks for any help

It sounds like you did everything right. Do you have cookies enabled? Can you post a link so I can check if it works for me?

the page is http://leto.ltd.uk/index2.html the form is at the bottom. the password n stuff i made from makepass.php is
username: greg
password: test

it goes to the leto.ltd.uk/encript.php but just says access denied...

cheers

if its any help, here are my phps...

protect.php
<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($verified)) { die($acc_denied); }
if (!$verified) { die($acc_denied); }

?>

passwrodreader.php
<?PHP

# Change the below lines to the results that makepass.php gave you
#
$user = 'ea26b0075d29530c636d6791bb5d73f4';
$pass = '098f6bcd4621d373cade4e832627b4f6'; ***this is the code by typing 'greg' and 'test' into makepass.php
#
# Change the above lines to the results that makepass.php gave you

if(md5($_POST['username']) == $user && md5($_POST['password']) == $pass)
{
setcookie ("verified", true);
header ("Location:encript.php");
}
else
{
echo ("Incorrect Password");
}
?>


makepass.php
<?PHP
if ($_POST['showvalues'])
{
echo 'User: ' . md5($_POST['username']);
echo '<br>Password: ' . md5($_POST['password']);
}
?>

<form method="post" action="makepass.php">
<table>
<tr><td><b class=rng>Username:</b></td><td>&nbsp;</td><td><input type="text" name="username"></td></tr>
<tr><td><b class=rng>Password:</b></td><td>&nbsp;</td><td><input type="text" name="password"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" value=" Submit " name="showvalues"></td></tr>
</table>
</form>



encript.php [this is just normal html but with that line at the top..
<? include_once("protect.php"); ?>
<html>
<head>
<title>User Area</title>
<style>
td{
font-family:arial;
font-size:9pt;......

well i have another problem with this... it seems when i enter thhe correct password it brings me to the access deided page i havent changed anything in that code but do you think changing the other code affects this one?

protect.php

<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($verified)) { die($acc_denied); }
if (!$verified) { die($acc_denied); }

?>

You may need to set a time on the cookie. Try changing the setcookie line to look like this:

setcookie ("verified", "true", time()+ 3600, "/"); #expires in 1 hour

mmm.. didnt work

i still get access denied when i type the correct user/pass here are my codes:

passwordreader.php

<?PHP
$x = 0;
$user = array("user1","user2","user3"); //array of usernames
$pass = array("pass1","pass2","pass3"); //array of passwords
for ($i=0; $i < count($user); $i++) {
if ($x == 0) {
if (md5($_POST['username']) == $user[$i]) {
if (md5($_POST['password']) == $pass[$i]) {
setcookie ("verified", "true", time()+ 3600, "/"); #expires in 1 hour
header ("Location:http://www.krylonblue.net/easiertorun/staff/postnews.php");
}
else {
echo "<BODY bgColor=#24637C><font color=#dddee6><center>Incorrect Password</center></font>";
}
$x = 1;
}
}
}
if ($x == 0) {
echo "<BODY bgColor=#24637C><font color=#dddee6><center>Incorrect Password</center></font>";
}
?>


i didnt post the pass/users in there but i am using them.....

protect.php

<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($verified)) { die($acc_denied); }
if (!$verified) { die($acc_denied); }

?>

Try removing this line:

if (!$verified) { die($acc_denied); }

didnt work... still the Access Denied page

didnt work fo rme either

when u type the right password it takes u to the page, but its just the same page as if u typed it straight into the browser! aagh!!

when i say page, i do of course mean 'access denied'

yes same problem I'm getting... it worked fine when i only had one user...

ive never even had it work for just one user! how come? my scripts are on the prvious page, whats wrong with them? baring in my mind i will need more than one account anyway, so im guessing im gonna get the same problems as u mate

well i just used the code on the first page seemed to work but then i tried adding more users now i get the access denied page when i get a correct login...

what code do u have in the pages u wish to protect? at the top did u just put that one line pyro said?

yes thats what i did make sure its a php page... but if u get the access dennied page then it should be working right for u... probally an error somewhere else in the code like mine...

HELP!

i think the passwordreader.php is fine, cos when i type the right passwrd it takes me to the page i want everyone to be taken to, but the page says 'access denied'. like u typed it into the browser, it seems to not care that u got there by typing the correct password. i dont understand it at all

yes im gussing the error is in protect.php...

here is my protect.php

<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($verified)) { die($acc_denied); }

?>

whats wrong with that?

I wrote that script a while ago, and just noticed that it uses global variables (I never use them anymore). I'd be willing to be that this will work a lot better for both of you:

<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($_COOKIE["verified"])) { die($acc_denied); }

?>

I'd also use the original setcookie code:

setcookie ("verified", true);

as it will set a cookie that expires when the browser is closed.

that was the protect.php code i was using... no luck still doesnt work...

You changed this line:

if (!isset($verified)) { die($acc_denied); }

to this:

if (!isset($_COOKIE["verified"])) { die($acc_denied); }

?

oh no but i used ur code anyway still nothing.... it seems like its not reading the pass.... i mean its right but its like it doesnt think i entered it...

aha! mine now works!..... but now i have the same problem as soccer, i want more than one user/password combinations.

looks like we're in the same boat now mate!

well if this helps heres the code that gives multiplue users

test it on urs but make a backup of ur currect passwordreader.php


passwordreader.php

<?PHP
$x = 0;
$user = array("user1","user2","user3"); //array of usernames
$pass = array("pass1","pass2","pass3"); //array of passwords
for ($i=0; $i < count($user); $i++) {
if ($x == 0) {
if (md5($_POST['username']) == $user[$i]) {
if (md5($_POST['password']) == $pass[$i]) {
setcookie ("verified", true);
header ("Location:http://www.krylonblue.net/easiertorun/staff/postnews.php");
}
else {
echo "<BODY bgColor=#24637C><font color=#dddee6><center>Incorrect Password</center></font>";
}
$x = 1;
}
}
}
if ($x == 0) {
echo "<BODY bgColor=#24637C><font color=#dddee6><center>Incorrect Password</center></font>";
}
?>

ah, actually im not sure if it does work. i can just type the /encript.php [the page i want them to go to once correct password is entered]. is this cos the password hasnt expired?
pyro when u said this..
'I'd also use the original setcookie code:

setcookie ("verified", true);

as it will set a cookie that expires when the browser is closed.'

how do i do that? is that in the protect.php code? what will it change to then?

Location:<a href="http://www.krylonblue.net/easiertorun/staff/postnews.php" target="_blank">http://www.krylonblue.net/easiertor...ff/postnews.php</a>");


that should really be:

Location:http://www.krylonblue.net/easiertorun/staff/postnews.php");

not sure mine works now.. soccer can u do me a favour? try and go to http://leto.ltd.uk/encript.php and see if it works? i can just type it into my browser now, but that maybe cos ive already typed the correct password earlier. i want the password to be invalid when u close the browser, i mean, if u close the browser u should have to type the password again

ta

i get access denined... if its working then can u please share all ur codes ur using?

yeah no problem, u see i get access to the page, but thats cos i typed the password in like half an hour ago. i want it to do that thing that pyro mentioned where after u close the browser u should have to type it in again... dunno how tho

here are my codes, btw they only work for 1 user like u had before..

passwordreader.php
<?PHP

# Change the below lines to the results that makepass.php gave you
#
$user = 'c884aa670ee95c9b25126becbafa2074';
$pass = '8ad8757baa8564dc136c1e07507f4a98'; #results from the makepass.php file

# Change the above lines to the results that makepass.php gave you

if(md5($_POST['username']) == $user && md5($_POST['password']) == $pass)
{
setcookie ("verified", true);
header ("Location:encript.php");
}
else
{
echo ("Incorrect Password");
}
?>



protect.php
<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($_COOKIE["verified"])) { die($acc_denied); }

?>


makepass.php
<?PHP
if ($_POST['showvalues'])
{
echo 'User: ' . md5($_POST['username']);
echo '<br>Password: ' . md5($_POST['password']);
}
?>

<form method="post" action="makepass.php">
<table>
<tr><td><b class=rng>Username:</b></td><td>&nbsp;</td><td><input type="text" name="username"></td></tr>
<tr><td><b class=rng>Password:</b></td><td>&nbsp;</td><td><input type="text" name="password"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" value=" Submit " name="showvalues"></td></tr>
</table>
</form>

nice i think i got it working with... multiplue users... and u cant access it once u close ur browser.... i'm just testing it still i will post my codes in a minute

ah i found out whats going on! I can access it though the regular browser but i cant get it to work in a frame...

quality

i dont use frames, can u tell me what ur codes are then? so i take it uve got it to work with multiple users and no frames... cos thats what i need

i should say everything works fine multiple users etc....

I will share my codes i cant get them to work in a frame though pyro any help?


codes:

passwordreader.php

<?PHP
$x = 0;
$user = array("user1","user2","user3"); //array of usernames
$pass = array("pass1","pass2","pass3"); //array of passwords
for ($i=0; $i < count($user); $i++) {
if ($x == 0) {
if (md5($_POST['username']) == $user[$i]) {
if (md5($_POST['password']) == $pass[$i]) {
setcookie ("verified", true);
header ("Location:http://www.krylonblue.net/easiertorun/staff/postnews.php");
}
else {
echo "<BODY bgColor=#24637C><font color=#dddee6><center>Incorrect Password</center></font>";
}
$x = 1;
}
}
}
if ($x == 0) {
echo "<BODY bgColor=#24637C><font color=#dddee6><center>Incorrect Password</center></font>";
}
?>



protect.php

<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($_COOKIE["verified"])) { die($acc_denied); }

?>

also, do u think its possible to create a page thats says 'invalid password' and 'access denied' rather than just have some scrot txt on the screen? like maybe in the code tell it to go to http:/.../incorrectpassword.html or whatever

well the only way i know how to do it is put a redirct code where it says invaild password instead of the text u can redirect it to that page u want...

hey meathane do u have like AIM, MSN or something maybe we could help each other...

i dont understand this in ur passwordreader.php

header ("Location:<a href="http://www.krylonblue.net/easiertorun/staff/postnews.php" target="_blank">http://www.krylonblue.net/easiertor...ff/postnews.php</a>");


why is the 2nd one got those dots in it? and why did u write that address 2wice anyway?

it doesnt show in these forums it should be like this:

Location:http://www.yoursite.com/whatever.php");

yeah ok just gettiung msn messenger, username meathane. add me in like 3 mins...

eh it will have to be either @hotmail.com or @msn.com i think AIM is a lot eaiser to use...

im guessing its not working in a frame cause of the location part anyone....

yeah i had the same problems when i tried it with frames, dont think its possible. i gave up and redesigned my page without frames

Yet another reason why frames suck...

what do u reccoment i use in place of frames?

In most instances, I would think a PHP include would be sufficient.

pyro is it also possible with the php's that soccer and i are using to have not only more than one login username and password, but where one login goes to one page, and another login goes to another, so that the different people who log in dont see the same thing?

ok pyro ive tried but what is wrong with this passwordreader...

<?PHP
$x = 0;
$user = 'ea26b0075d29530c636d6791bb5d73f4';
$pass = '098f6bcd4621d373cade4e832627b4f6';
for ($i=0; $i < count($user); $i++) {
if ($x == 0) {
if (md5($_POST['username']) == $user[$i]) {
if (md5($_POST['password']) == $pass[$i]) {
setcookie ("verified", true);
header ("Location:http://leto.ltd.uk/encript.php"); ##i want the above user name n password to got to this 'encript.php' page
}
else {
header ("Location:http://leto.ltd.uk/invalid.html");
}
$x = 1;
}
}
}
if ($x == 0) {
header ("Location:http://leto.ltd.uk/invalid.html");
}

$x = 0;
$user = array("30afb226fcc8231412e12baf4c097991");
$pass = array("ad0234829205b9033196ba818f7a872b");
for ($i=0; $i < count($user); $i++) {
if ($x == 0) {
if (md5($_POST['username']) == $user[$i]) {
if (md5($_POST['password']) == $pass[$i]) {
setcookie ("verified", true);
header ("Location:http://leto.ltd.uk/encript2.php"); ## now for the above user/pass, to go to this page, encript2.php
}
else {
header ("Location:http://leto.ltd.uk/invalid.html");
}
$x = 1;
}
}
}
if ($x == 0) {
header ("Location:http://leto.ltd.uk/invalid.html");
}
?>



the trouble with it is, that now when u type the first username and corressponding password it says its invalid, but the 2nd works and goes to the encript2.php.
how can i make one user/pass go to one page [encript.php] and another set of username/pass got to a different page [encript2.php say]

????
anyone help??

i jsut want to figure out how to get mine to work in frames! :confused: :mad:

meathane -

You could do something like this, but it will get very unmanagable with many users. If you are going to have quite a few users, I would use a mySQL database.

-- untested code --
<?PHP
$x = 0;
$user = array("user1inmd5encryptedformat","user2inmd5encryptedformat","user3inmd5encryptedformat"); //array of usernames
$pass = array("password1inmd5encryptedformat","password2inmd5encryptedformat","password3inmd5encryptedformat"); //array of passwords
for ($i=0; $i < count($user); $i++) {
if ($x == 0) {
if (md5($_POST['username']) == $user[$i]) {
if (md5($_POST['password']) == $pass[$i]) {
setcookie ("verified", true);
if ($i == 0) { #first user in the array
header ("Location:http://www.yoursite.com/dir/page0.htm");
}
else if ($i == 1) { #second user in the array
header ("Location:http://www.yoursite.com/dir/page1.htm");
}
else { #all other users in the array
header ("Location:http://www.yoursite.com/dir/page2.htm");
}
}
else {
echo "Incorrect password";
}
$x = 1;
}
}
}
if ($x == 0) {
echo "Incorrect username";
}
?>

metrosoccer12 -

You'd probably have to use javascript, which doesn't work for 13% of users...

thats fine cause its only for my staff and i know they all have javascript enabled... do u know how to do it?

Try swapping out the header(...) line with something like this:

echo '<script type="text/javascript">
top.framename.location.href = "yourpage.php"; # framename is the name of the frame to change
</script>';

PYRO U ARE THE DON!!!!!

it works fine!! thanks so much, ur a genious nice one

one sec tho, we just tried it on a server and im not sure of one thing....

can someone please go here http://leto.ltd.uk/encript.php and tell me if it says access denied or whetyher u get to see the 'passwords page'
ta

I get the Access Denied page...

good good

So, all's well, then? Cool...

heya pyro.. i did a search for a login script cause i didnt wanna start a whole new thread... i got everything working accept, when i enter the wrong password to login, it says invalid password. if i put in the RIGHT password, it gives me this:Warning: Cannot add header information - headers already sent by (output started at c:\web\xaxei\www\passwordreader.php:3) in c:\web\xaxei\www\passwordreader.php on line 14

Warning: Cannot add header information - headers already sent by (output started at c:\web\xaxei\www\passwordreader.php:3) in c:\web\xaxei\www\passwordreader.php on line 15

here is my PasswordReader page code(username and pass taken out):<html>
<body>
<?PHP

# Change the below lines to the results that makepass.php gave you
#
$user = 'b2bc09806';
$pass = '5f56c68f83a';
#
# Change the above lines to the results that makepass.php gave you

if(md5($_POST['username']) == $user && md5($_POST['password']) == $pass)
{
setcookie ("verified", "true", time()+ 3600, "/"); #expires in 1 hour
header ("Location:http://www.aspfreeserver.com/xaxei/helloworld.php");
}
else
{
echo ("Incorrect Password");
}
?>
</body>
</html>
So why can't it redirect the page...?

Because headers (including redirects and cookies) and not be set after output has been started. In you case, it is this:

<html>
<body>

yeah sorry i realized that right after posting. but now i get an access denied page even with the right password..

Access denied? As in a server error, or as in the cookie is not getting set correctly?

as in cookie style. it says,

ACCESS DENIED
[Back]

not a server error page.

Your username and passwords are not in MD5 hashes... How did you get those?

those are just random ones i put in cause i didnt wanna put my real username and password in there for all to see=P i got my md5 hashes from the "Makepass.php" stuff you told me to do.

here is my makepass.htm page: <html>
<head>
<title>
xaxei
</title>
</head>
<body>
<form method="post" action="makepass.php">
<table>
<tr><td><b class=rng>Username:</b></td><td>&nbsp;</td><td><input type="text" name="username"></td></tr>
<tr><td><b class=rng>Password:</b></td><td>&nbsp;</td><td><input type="text" name="password"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" value=" Submit " name="showvalues"></td></tr>
</table>
</form>
</body>
</html>
and the php file to go with it: <?PHP
if ($_POST['showvalues'])
{
echo 'User: ' . md5($_POST['username']);
echo '<br>Password: ' . md5($_POST['password']);
}
?>

What does helloworld.php look like?

helloworld.php
<? include_once("protect.php"); ?>
<html>
<body>
<?php echo "Hello World"; ?>
</body>
</html>
protect.php
<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($_COOKIE["verified"])) { die($acc_denied); }

?>

Your browser does accept cookies, right? Give me a link where I can try it out...

http://www.aspfreeserver.com/xaxei/default.php

yeah, the mainpage is my latenight attempts at making a new layout, and the layout i was trying to make is something like bluerobots 3 flanking menu's, so i used it to start with. i only spent a little time, so just ignore it=P anyways, the login is at the bottom.

username: xaxei
password: testpass

Quite obviously, the cookie is not being set. Try making sure it sets correctly. On the page that sets the cookie, get rid of the header redirect, and add something like this, to see what cookies are set:

print_r($_COOKIE);

when i replaced the header with what u said, it gave this:

Array ( [phpbb2mysql_data] => a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:1:\"3\";} )

which i have no clue how to read=P just beginning php yano.

actually yeah im stupid... that is a cookie for phpbb forums i went to recently... took me a minute to figure out what it is saying to me.. *smacks self* but i KNOW i have had more cookies than that...

It's an array of the cookies that are set, and the one we are looking for is not included in it. For some reason, it is not setting the cookie. This worked fine for me (you may need to hit refresh):

<?PHP

setcookie ("verified", "true", time()+ 3600, "/"); #expires in 1 hour
echo "<pre>";
print_r($_COOKIE);
echo "</pre>";

?>

Just tried you page, the cookie get set fine for me (had to hit refresh for it to show up, though).

yeah for some reason it works now.. didnt hit refresh.. didnt do anything new... weird. oh well. at least it works=P gonna go change the cookie so that it expires when browser is closed instead of lasting an hour. thanks for your help!

If you up for it, if you want it to expire when the browser is closed, you might want to use sessions (http://us2.php.net/session). :)

I try reading and learning from that page.. but the way most of it is described is irratic and hard for me to understand as to how i am supposed to impliment it...

ok, it's back to not working again. I see no reason for it not to work.. it's not setting the cookie!! evil... (i check my list of cookies and i have some from forum boards but none from my site...)

passwordreader.php:<?PHP

# Change the below lines to the results that makepass.php gave you
#
$user = 'b29708f00d2396a4c0d0de6cdbc09806';
$pass = '179ad45c6ce2cb97cf1029e212046e81';
#
# Change the above lines to the results that makepass.php gave you

if(md5($_POST['username']) == $user && md5($_POST['password']) == $pass)
{
setcookie ("verified", "true", time()+ 3600, "/"); #expires in 1 hour
header ("Location:http://www.aspfreeserver.com/xaxei/helloworld.php");
}
else
{
echo ("Incorrect Password");
}
?>

note: changed my base page to www.aspfreeserver.com/xaxei/index.php

Seemed to work for me on Mozilla Firebird. I got a Hello World page.

its not working on IE...
evil evil evil why won't it work..

i see no reason for it not to work....

It's all going to be the cookies... Yet another reason to use sessions, but they will take a bit more work, if you need them to work without cookies.

could you help me make a session? i have no clue where to start... i just have a faint idea what a session might be..

please dont tell me to go read that session page again... it confuzzled me like no other! could u provide the code i should use + an explanation of what it is and how it works so that i may learn more about sessions?

ok, i've now check and it seems to be 100% fact that the cookie won't set itself... I have cookies enabled but it just won't work. i'm on a winxp and i dont know why it won't work but it just wont... i'll just use sessions i guess... once i find out how and what a session is.

Sessions are really quite simple. First, before you use a session, you must start it:

session_start();
Now that we have the session started, we'll just set up our session variable:

$_SESSION['verified'] = true;

There, the session is set. Now, to read it on our resulting pages, we just use this:

session_start();
echo $_SESSION['verified'];

ok.... mr little php newb here cant get this to work..

password reader:<?PHP

# Change the below lines to the results that makepass.php gave you
#
$user = 'b29708f00d2396a4c0d0de6cdbc09806';
$pass = '179ad45c6ce2cb97cf1029e212046e81';
#
# Change the above lines to the results that makepass.php gave you

if(md5($_POST['username']) == $user && md5($_POST['password']) == $pass) {
session_start();
$_SESSION['verified'] = true;
header ("Location:http://www.aspfreeserver.com/xaxei/helloworld.php");
}
else
{
echo ("Incorrect Password");
}
?>

protect.php<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
session_start();
if ($_SESSION["verified"] == "true"); { die($acc_denied); }

?>

Try:

session_start();
if (!isset($_SESSION["verified"])) { die($acc_denied); }

darnit i knew i shoulda kept the !isset... *smacks head reallllly hard*

i guess i always think on a javascript level ( = true, if else, = true, ect.)

ok... does it work for you cause it still wont work for me.. (why in the world won't cookies or sessions work on this computer for my website? they work for every other cookie slinging website!!!

wewt. ok. works now. finally. TY PYRO! (lets hope it doesnt kamakazi again!)

You bet... :)

hehe=P well now i have wet my feet with php a little bit(this is my first script... even though it isnt really mine.. i know how it works now though...) so i'm happy. I'll be sure to be back here whining again real soon=P (hint: I'll be crying about how to connect to a mysql database..)

How effective is this type of password protected area against, say, .htaccess?
I'd be interested to see...as this might hold a benefit for our staff-section.

Thanks for any advice.

It's going to depend on how secure you make it. Using a PHP based solution is also going to partly depend on how secure other scripts you have on your site are, as they could potentialy be used to help hackers.

Hey just been using through this thread.
pyro, can you paste the code that's working - of all the pages we need?
I'm a bit confused as to what we should be using / not? :)
Also how could we have a Logout type button with this? that'd be great!
Thanks again.

Try going to the beginning of the thread. My first post (the second post in the thread) should be what you need.

oh ok - just wondered because later on in this thread you said something about globals that you did a while ago..
Is it poss for a logout type function on this?
thanks.

Ah yes, you are right. I've edited that original post, and it no longer requires global variables. WIt also closes up a huge security hole... ;)

As far as creating a logout button, yes. It would be quite simple. You'd just need to set the cookie verified to a time in the past. Once that cookie no longer exists, they will be logged out.

Ah yes, thanks pyro.
See the changes (i think i've got the ones you refer to):

passwordreader.php:


<?PHP

# Change the below lines to the results that makepass.php gave you
#
$user = 'user'';
$pass = 'pass';
#
# Change the above lines to the results that makepass.php gave you

if(md5($_POST['username']) == $user && md5($_POST['password']) == $pass)
{
setcookie ("verified", true);
header ("Location:[ url ]http://192.168.0.33/staff/index.php[ /url ]");
}
else
{
echo ("Incorrect Password");
}
?>


protect.php:


<?PHP

# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($_COOKIE["verified"])) { die($acc_denied); }

?>


and at the top of each sensitive page:


<?php
include_once("protect.php");
include("header.php");
?>


The [ url ] [ /url ] are "together" i've just added those spaces before/after the ] so it doesn't come up as <a href on the forums, weird!
Is this more effective than .htaccess for example?
thanks :)

On passwordreader.php, you've got an extra quote in the $user line.

As far as this compaired to .htaccess, I prefer using a pure PHP solution, as you can then have a logout button, if desired.

hi, im using this in my protect.php

<?PHP
# Protect page from being called directly from web browser
$back = "<form><input type='button' value='< Back' onclick='history.back()'></form>";
$acc_denied = "<h3>Access Denied</h3>".$back; # you could add a link to where users can login here...
if (!isset($_COOKIE["verified"])) { die($acc_denied); }
?>

and have

include_once("protect.php");

at the top of my protected pages but you can still by-pass the log-in and type the address. Any ideas on how i might fix this?

cheers
adam

The cookie is probably already set on your computer. Try logging out, and then typing the address in...

try
setcookie ("verified", "true");
cause if you are using FireFox, it will not read without the ""s
and in protect.php
if (!isset($_COOKIE["verified"])) { die($acc_denied); }