Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Like Tree5Likes

Thread: Password protected page with PHP and CSS. Any way to improve?

  1. #1
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times

    Password protected page with PHP and CSS. Any way to improve?

    Hi everyone,

    Just wanted some feedback about my method of password protecting a page and if it can be improved for security. I had to do my own because I couldn't google any cool methods.

    ***

    I was uploading somewhat sensitive data and needed it to be somewhat protected
    I've recently developed an online template I am going to use for client proposals. I am doing this because I really hated styling proposals in MS Word. Also, I am too cheap to pay $10-$20 a month for proposal software services.

    One thing about having an online proposal is that it is much more public than a presentation or an emailed doc. The proposals are hosted my server. It's private in the sense that it's not linked to, is not in a sitemap, and it is <meta name="robots" content="noindex, nofollow">. However, I wanted to make sure no outside person who stumbles on it would see how I do business proposals, my pricing, and I also wanted my prospects to feel like their proposals are private.

    The method
    I thought of using javascript prompt to initiate a password input, but

    1 - the prompt box is browser styled, meaning no css mods
    2 - if its a password, it will be loaded in the source code

    I knew I had to use server side language.

    So I ended up making a :

    PHP Code:
    if (isset($_POST['pw'] )) {
      if ($_POST['pw'] === 'password' ) { ?>
        <style>
        #pw-protect { display:none }
        </style>        
      <?php }
    }
    and coupling it with a form

    HTML Code:
    <div id="pw-protect">
    <form method="post" action="index.php">
    Enter Password<br>
    <input type="text" name="pw" />
    <input type="submit" value="submit"/>
    </form>
    </div>
    So now for people to see the proposal, they need a link and a password.

    Any thoughts about how to make it more secure?
    I've realized that a web saavy person like myself could find the page and then manually force pw-protect to hide. Any other security issues I should be aware of?
    Attached Images Attached Images
    Last edited by RDesignista; Jan 04th, 2014 at 04:39 PM.

  2.  

  3. #2
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Yeah...don't use "password" as your password.

    I would suggest to you that a login page is in order, as opposed to a login dialog box. The proposal can still be seen in the background. I don't know if Linux / .htaccess has a similar mechanism, but IIS versions 7 and up allow you to password-protect directories in web.config. Here's the general idea, although the path used should be much more secure. I'm not sure about 6, but if anyone's still using IIS6 they probably need to upgrade their servers:

    Web.config file to password protect a directory in any ASP.net web site

    Basically, what happens is that, when the directory "administrator" is visited, the user is automatically redirected to a login page and can only log in using the "admin" credentials. The downside to this approach, and it's a slight one, is that any subdirectories and files such as CSS, JS, etc. are also blocked by default if the login page is in the administrator folder, so you have to create override locations for each of those. So it's a few extra lines of code.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  4. #3
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,686
    Member #
    5580
    Liked
    716 times
    You need to have the form send their entered password to a separate PHP script that checks if it is valid, and then sets a PHP SESSION. Once a SESSION variable is set, it remains set the whole time they're browser is opened, so you can check for it on any other page you have. When they close their browser or log-off, the SESSION is destroyed and they have to log-in again.

    Google: simple PHP SESSION login example

    With your method, they have to enter the password every time the need to see the page.

    The 2nd part of your system will need to be a way for your clients to log-in and change their password if they wish. So you need a "user registration/login" type of PHP script. This involves not only PHP, but MySQLi as well (for the database).


  5. #4
    Senior Member Ronald Roe's Avatar
    Join Date
    Mar 2011
    Location
    Oklahoma City
    Posts
    3,141
    Member #
    27197
    Liked
    959 times
    I recently did this. My host had the option in cPanel, and it ran it thru the .htaccess. I don't know exactly how secure it is, but it worked to keep my wife's prying eyes off her Christmas gift.
    AlphaMare likes this.
    Ron Roe
    Web Developer
    "If every app were designed using the same design template, oh wait...Bootstrap."

  6. #5
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,686
    Member #
    5580
    Liked
    716 times
    Sure, you can use .htaccess/.htpassword, but it's so easy to use PHP, and it's just as secure. Having a whole system of client proposals, you're going to need PHP and MySQLi anyhow, so you might as well do it right. Having multiple members, logins, profile pages, admin pages ... you almost have to use server-side scripting.


  7. #6
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times
    Wow, thanks for the responses, guys. I was expecting some technical input and I got just that!

    I'm going to weigh options.

    I'm not doing a true secure client system. This is because I use other methods of client management : invoicing + receipts (via my online accounting), project management (Trello), and contract signing (Echosign). All I'm exploring right now is a way for me to add an additional layer of security for things that I might want on my own web space but need to make private somewhat. I don't want it to be too odd where the person has to go and find their login and password everytime they want to take a look... that's why I am only wanting to just a password. And that password would be easy to remember, but nearly impossible for a random passerby to guess.

    So basically, I am sacrificing a bit of security for a bit of style and user convenience. It's not super sensitive data I'm protecting here (proposals and test sites for now), but it's just things that I would not want to indexed or for my competition or other clients to stumble upon.

    Again, I will have to weigh options : easy to use vs secure. Thanks again!

  8. #7
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Here's my trick for a password: come up with a mixed-case phrase that can make use of a number as a word (e.g. 2 for to / too, 4 for for) and a symbol, either as the replacement for a letter (e.g. $, |) or at the end. Sort of like this: RonBuildsSites4U! Easy to remember, very difficult to guess.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  9. #8
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,686
    Member #
    5580
    Liked
    716 times
    On a web page, create a simple form:

    <form action="login.php" method="post">
    Password: <input type="password" name="pass">
    <input type="submit" name="submit" value="Log In">
    </form>

    Now, create a separate script called "login.php".
    You can use Notepad to do the creation ... save it as "login.php"
    PHP Code:
    <?php
    session_start
    ();
    if(
    $_POST['pass']){
    $password=$_POST['pass'];
       if(
    $password == "RonBuildsSites4U!"){
       
    $_SESSION['user']="admin";
       
    header("location: mypage.php");
       exit;
       }
    // not a valid password, so send them back to your main page.
    header("location: index.php");
    exit;
    }
    ?>
    Now, at the top of your protected page ... we'll call it "mypage.php" ....
    PHP Code:
    <?php
    session_start
    ();
       if(isset(
    $_SESSION['user'])){
       
    // logged-in, so do nothing
       
    }
       else{
       
    // not logged-in, so kick them out .. send them to your main page ...
       
    header("location: index.php");
       exit;
       }
    ?>
    <html>
    <head>
    <body>
    the rest of your page here
    blah
    blah
    .
    .
    </body>
    </html>
    Once logged-in, they can access "mypage.php" any time they want without entering the password ... as long as their browser session remains. When the browser is closed, the session is lost. Going back in browser history does not work ... the login uses PHP SESSION, which is a server-side 'SESSION ID' (sort of like a cookie) that matches the user's 'cookie'.

    To create a logout button ... link it to this script ... call it "logout.php":
    PHP Code:
    <?php
        session_start
    ();
        
    //Unset the variables stored in session ... log them out.
        
    unset($_SESSION['user']);
        
    header("location: index.php");
        exit;
    ?>
    Logging out, or UNSET the SESSION will not let them back into "mypage.php" without logging in again.
    Last edited by mlseim; Jan 06th, 2014 at 06:56 AM.
    TheGAME1264 likes this.


  10. #9
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    HEY! That is blatant password-related copyright infringement, Max! That's my exclusive intellectual property that I put on the web for anyone to use as they see fit!

    Come up with your own password, jerk!
    mlseim likes this.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  11. #10
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,686
    Member #
    5580
    Liked
    716 times
    if($password == "!skcus_4621EMAGehT"){

    That one might be more secure ...
    TheGAME1264 and Ronald Roe like this.



Page 1 of 2 1 2 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 05:05 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com