www.webdeveloper.com
Results 1 to 5 of 5

Thread: PHP files can't be password protected?!?

  1. #1
    Join Date
    Aug 2009
    Posts
    17

    PHP files can't be password protected?!?

    Hi all, this is my first post on this forum so I hope I'm putting this question in the right place. Be gentle with me.

    I admit that while I'm an experienced designer, I'm not a very advanced developer. Usually I know everything I'd NEED to know to get sites built, tested, uploaded and maintained. But I've just run into a situation I've never encountered before and it makes no sense to me, so I'm wondering if this is just a specific problem with the host server setup or whether I'll encounter the same problem even if I switch hosting companies. Please help...

    I have an existing site for a charity, and the site resides on a subdirectory of a larger charity. Recently I've spent a lot of time revamping the site and building in a custom content management system to make maintenance (on my part) a lot easier. The site and the CMS are built using PHP/Mysql extensively. I'm ready to take the site live, so the first step is to upload the 'admin' folder with all the CMS files in it onto the server, password protect it, and test it. Here's where the problem lies.

    I am able to use .htaccess to password-protect the admin folder, no problem. If you type the URL to the directory itself, a password prompt comes up. But none of the files INSIDE the directory are protected. If you type the full path to any of the files inside the protected directory, it allows you to go right in....no protection, no prompt. This defeats the whole purpose of protecting the directory!

    I thought this must be a glitch, so I contacted tech support for the hosting company (GoDaddy, btw) and after two days of support tickets, making their way up the line to their senior techs, this is the response I got:

    The password protect feature unfortunately does not work when accessing a php file directly. This is how the server operating system is setup and unfortunately we are unable to update so it works as to your liking. If you put a .html page within it and try to access, you will see it ask for a password. We are unable to make it do the same for a .php file.
    So basically they're telling me that my entire CMS can't be secured on their servers. I've never heard of this before in my life... Is it common knowledge that PHP files inside a password-protected directory can't be protected? Is this a weakness in their server setup, or would I likely get this same response elsewhere? What would be the POINT of protecting a directory if the files inside it aren't secure?? There are CMS's all over the web...how do they function if only HTML files can be protected?

    Right now I'm at a loss what to do with this. I can build an HTML page for the control panel itself that will prompt the user when they access it...but it makes me cringe to think of all the PHP pages that people would be able to freely access inside that folder. The tech support guy suggested that the files can be 'masked' so they can't be seen, but I have never had to do that before and Googling it hasn't offered me any clues.

    Any answers, suggestions, or advice?

  2. #2
    Join Date
    Jun 2003
    Location
    here
    Posts
    4,551
    .htaccess
    Code:
    php_value auto_prepend_file "/full/path/to/password.php"
    password.php
    PHP Code:
    <?php
    header
    ('WWW-Authenticate: Basic realm="Password"');
    header('HTTP/1.0 401 Unauthorized');
    if( 
    $_SERVER['PHP_AUTH_PW'] != 'foobar' ){
      die(
    'Password incorrect.');
    }

  3. #3
    Join Date
    Aug 2009
    Posts
    17
    Scragar, thanks for the help. Not to seem dense, but I have a couple questions/clarifications.

    To be clear, you're saying that I should amend the .htaccess file to read as shown above, and then put the password.php into my directory, and it will protect all the PHP files in that directory?

    Once the protection is in place, this will function just like usual .htaccess directory protection...so that calling up each new PHP file won't require a separate log-in? (eg, user logs into the control panel and clicks to call up "add_date.php"...it won't throw up the prompt again)

    Sorry for the elementary questions but this is new territory for me.

  4. #4
    Join Date
    Jun 2003
    Location
    here
    Posts
    4,551
    The code I posted, provided your host allows editing PHP configs on the fly anyway(most don't) will provide the same .htaccess style login prompt when attempting to load PHP pages.
    It would take a small edit to make this stored in a cookie, or something similar, for example:
    PHP Code:
    <?php

    define
    ('PasswordSalt''MyCookieSalt'); // Change these before going live. Very important.
    define('ThePassword''foobar');

    // a simple hash to protect our password.
    $encryptedPassword sha1(PasswordSalt ThePassword getIP() . PasswordSalt);

    if( 
    $_COOKIE['httpAuthLogin'] != $encryptedPassword){// no existing login

      
    header('WWW-Authenticate: Basic realm="Password"');// ask for password
      
    header('HTTP/1.0 401 Unauthorized'); // reject access unless password provided

      
    if( $_SERVER['PHP_AUTH_PW'] != ThePassword )// bad password
        
    die('Password incorrect.');

      
    setcookie('httpAuthLogin'$encryptedPassword);// record success
    }


    function 
    getIP(){
      if(!empty(
    $_SERVER['HTTP_CLIENT_IP']))
        return 
    $_SERVER['HTTP_CLIENT_IP'];
      else
      if(!empty(
    $_SERVER['HTTP_X_FORWARDED_FOR']))
        return 
    $_SERVER['HTTP_X_FORWARDED_FOR'];
      else
         return 
    $_SERVER['REMOTE_ADDR'];
    }
    Last edited by scragar; 08-27-2009 at 11:47 AM.

  5. #5
    Join Date
    Sep 2008
    Location
    Sarasota, Florida
    Posts
    99
    I use .htaccess to password-protect a folder containing both html and php files. It works for both. The php files cannot be accessed by entering the full path. My host is Lunarpages.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles