Results 1 to 5 of 5

Thread: PHP files can't be password protected?!?

  1. #1
    Join Date
    Aug 2009

    PHP files can't be password protected?!?

    Hi all, this is my first post on this forum so I hope I'm putting this question in the right place. Be gentle with me.

    I admit that while I'm an experienced designer, I'm not a very advanced developer. Usually I know everything I'd NEED to know to get sites built, tested, uploaded and maintained. But I've just run into a situation I've never encountered before and it makes no sense to me, so I'm wondering if this is just a specific problem with the host server setup or whether I'll encounter the same problem even if I switch hosting companies. Please help...

    I have an existing site for a charity, and the site resides on a subdirectory of a larger charity. Recently I've spent a lot of time revamping the site and building in a custom content management system to make maintenance (on my part) a lot easier. The site and the CMS are built using PHP/Mysql extensively. I'm ready to take the site live, so the first step is to upload the 'admin' folder with all the CMS files in it onto the server, password protect it, and test it. Here's where the problem lies.

    I am able to use .htaccess to password-protect the admin folder, no problem. If you type the URL to the directory itself, a password prompt comes up. But none of the files INSIDE the directory are protected. If you type the full path to any of the files inside the protected directory, it allows you to go right in....no protection, no prompt. This defeats the whole purpose of protecting the directory!

    I thought this must be a glitch, so I contacted tech support for the hosting company (GoDaddy, btw) and after two days of support tickets, making their way up the line to their senior techs, this is the response I got:

    The password protect feature unfortunately does not work when accessing a php file directly. This is how the server operating system is setup and unfortunately we are unable to update so it works as to your liking. If you put a .html page within it and try to access, you will see it ask for a password. We are unable to make it do the same for a .php file.
    So basically they're telling me that my entire CMS can't be secured on their servers. I've never heard of this before in my life... Is it common knowledge that PHP files inside a password-protected directory can't be protected? Is this a weakness in their server setup, or would I likely get this same response elsewhere? What would be the POINT of protecting a directory if the files inside it aren't secure?? There are CMS's all over the web...how do they function if only HTML files can be protected?

    Right now I'm at a loss what to do with this. I can build an HTML page for the control panel itself that will prompt the user when they access it...but it makes me cringe to think of all the PHP pages that people would be able to freely access inside that folder. The tech support guy suggested that the files can be 'masked' so they can't be seen, but I have never had to do that before and Googling it hasn't offered me any clues.

    Any answers, suggestions, or advice?

  2. #2
    Join Date
    Jun 2003
    php_value auto_prepend_file "/full/path/to/password.php"
    PHP Code:
    ('WWW-Authenticate: Basic realm="Password"');
    header('HTTP/1.0 401 Unauthorized');
    $_SERVER['PHP_AUTH_PW'] != 'foobar' ){
    'Password incorrect.');
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

  3. #3
    Join Date
    Aug 2009
    Scragar, thanks for the help. Not to seem dense, but I have a couple questions/clarifications.

    To be clear, you're saying that I should amend the .htaccess file to read as shown above, and then put the password.php into my directory, and it will protect all the PHP files in that directory?

    Once the protection is in place, this will function just like usual .htaccess directory protection...so that calling up each new PHP file won't require a separate log-in? (eg, user logs into the control panel and clicks to call up "add_date.php"...it won't throw up the prompt again)

    Sorry for the elementary questions but this is new territory for me.

  4. #4
    Join Date
    Jun 2003
    The code I posted, provided your host allows editing PHP configs on the fly anyway(most don't) will provide the same .htaccess style login prompt when attempting to load PHP pages.
    It would take a small edit to make this stored in a cookie, or something similar, for example:
    PHP Code:

    ('PasswordSalt''MyCookieSalt'); // Change these before going live. Very important.

    // a simple hash to protect our password.
    $encryptedPassword sha1(PasswordSalt ThePassword getIP() . PasswordSalt);

    $_COOKIE['httpAuthLogin'] != $encryptedPassword){// no existing login

    header('WWW-Authenticate: Basic realm="Password"');// ask for password
    header('HTTP/1.0 401 Unauthorized'); // reject access unless password provided

    if( $_SERVER['PHP_AUTH_PW'] != ThePassword )// bad password
    die('Password incorrect.');

    setcookie('httpAuthLogin'$encryptedPassword);// record success

    Last edited by scragar; 08-27-2009 at 10:47 AM.
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

  5. #5
    Join Date
    Sep 2008
    Sarasota, Florida
    I use .htaccess to password-protect a folder containing both html and php files. It works for both. The php files cannot be accessed by entering the full path. My host is Lunarpages.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.09413 seconds
  • Memory Usage 2,893KB
  • Queries Executed 15 (?)
More Information
Template Usage (35):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)bbcode_code
  • (2)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (5)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (72):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates