Password protect a page on site

ethosadvisory

Would someone be open to instructing me how to password a page on a site. Some client files loaded to the server are for "client eyes only"; the informatin posted is personal and confidentail. Therefore, I want to password protect the page with a random selected password and username.

If a random selection of username and password is not possible, I will use a standard username and password.

Thanks for the help.

Ray Randall

jabba_29

sessions / database is probably the easiest way and more secure.
Search this forum

pinkbike

This is the SUPER SUPER basic way to do things.

//this is the page that you access on the url
pass_view_page1.php

////////////////////////////////////////////
<?
//password is 'secret'
if ($_POST['password']=='secret')
{
echo "Accessing secret page.....<br>";

  include"/safedir/page1.html";

}
else
{
//no action should access the same page
echo "<form name=\"form1\" method=\"post\" >Enter password <input type=\"text\" name=\"password\"></form>";

}
/////////////////////////////////////////////

//page1.html is the actual password protected page somehere on the system out of www root
/safedir/page1.html

NOTE: please remember this is a VERY simple idea. But it'll give you at least some basics to take it to the next step and make things more secure and complicated. Using cookies, sessions, etc

Ramsey_Nasser

pinbike's code would work, but (like he said) its very basic, and seems un-safe. etho said that the data was very personal, so heres the basics of security using cookies and MD5 encryption...

When they first sign up:

<?php

//generate random username and password

$name = mt_rand(1000,100000); //u can use rand() if u want
$password = mt_rand(1000,100000);

//encrypt them for more security

$e_name = md5($name);
$e_password = md5 ($password);

//store them in a db

mysql_connect(localhost, username, password);
mysql_query("USE database");

mysql_query("INSERT INTO table VALUES('$e_name','$e_password');

//display the info

print ("Your user name is $name and your password is $password, dont forget them");
?>

md5 cant be decrypted, however, so use this code to authenticate users:

<?php

//get variables from the form

$name = $_POST['name];
$password = $_POST['password'];

//encrypt them

$e_name = md5($name);
$e_password = md5($password);

//check them against the database

mysql_connect(localhost, username, password);
mysql_query("USE database");

$check = mysql_query("SELECT * FROM table WHERE username = '$e_name' AND password='$e_password'");

$rows = mysql_num_rows($check);

if ($rows==0) {

print "invalid password";

} else {

//restricted code here

}

easy as pie

planetsim

Um.. why cant people have passwords.. I dont like the feeling of having a password made for me.. You can forget those.. I feel more safe if i made the password.. Then encryped md5();. Although a very good hacker will work out the encrypted data.. after about 100's and 100's of attempts.. So most likely most give up after a while..

pinkbike

The first step to making things more secure is to use a one way hashing method....... md5() is a good start. The security you get from this is the fact that the users password is not stored in plain test anywhere on the server. So if the server is compromised, the users passwords still remain relatively safe.

Storing the password information in the database is a good way to get functionality but it does not get you security.
using a username/password combination is the next step in functionality and access personallization, and it also does not gain in security. (aside from the fact that you need a 2 pair token to access the data)

Best advise I can give is to start small, understand all your code, and build on it. Imporving the security and your needs to fit your application/project.

REMEMBER does not matter what security you have in place, but if your username/password is easy to guess, all the security does not matter.

Some other ways to improve security beyond the password.
- use https for all password exchange. Without this the information a user enters is just transfered around the world in plain test for others to read.
- if you dont have https, at least us some find of javascript, hashing on the client side to scramble the password. Public/secret key combination with the server.

use metrics on your users, isp, browser, etc to restrict access.