Password protect pages - htaccess, php, cgi

[Calisonder]

Ok, I have an html log in form, here (http://www.oliverswater.com/password.html), and everything works ok. The username is Joshua and the password is Dowdy. The login directs me to the page that i want it to, here, (http://www.oliverswater.com/loginenter.html), so that works. But it truly is not password protecting anything because you could just go directly to http://www.oliverswater.com/loginenter.html and it doesn't ask you for a password or anything. Does anyone have a free script or know where one is that will only allow someone to get to a protected page through a login screen.

[dave conz]

Yeah, I know what you mean - this type of protection isn't the best. I'd recommend something that uses .htaccess.

http://www.hotscripts.com/
http://cgi.resourceindex.com/
etc

[AcRoNym]

wouldnt bother wiv cgi its old and has vunerabilties go fo php

[dave conz]

Quote:

Originally Posted by AcRoNym

wouldnt bother wiv cgi its old and has vunerabilties go fo php

Not the most balanced or informative comment I've seen on this issue. There are many pros and cons of these technologies and there's plenty of information to help you decide which best suits your needs.

If you have no personal language preference, I think you should choose based on how well the script meets your needs, not the language it's written in.

[Calisonder]

ya i agree dave, damn i'm still having trouble finding what i need

[Distorted]

You could set a cookie on the login page and use a redirect in the enter page if they don't have the cookie.

In ASP it might look something like this for the login page's action... maybe:

[code:1:b3e3e2b283]
<%
If password <> ('password') Then
Page.Location = "wrong.hml"
Else setCookie stuff....
Page.Location = "welcome.html"
End If
%>
[/code:1:b3e3e2b283]

Hope this helps.

[LazyJim]

The only thing wrong with that Distorted, is it relies on the user having cookies enabled.

No I think an .htaccess based solution is best.

That way anyone trying to go directly to the protected files will be asked for username and password by their browser.

I'm not sure how the log-in page would pass the username and pass word, but it is possible to to go to http://usename:password@www.example.com/members/ and it will do the log-in if the username an pword are correct.

[Calisonder]

thanks guys

[hatchet]

or on the protected file page you could have (this is php)
if ( !isset($username || $password) {
header (location: http://domain.com/sorry.html);
}
Essentially saying if those are not set then goto sorry.html

[LazyJim]

where do $username and $password come from (when they are logged on)?

[hatchet]

Yep.. once they are logged on you can set those variables as global.. the problem with the html form though is that it gets put into the url many times - so it would all have to be php to hide the variables from the browser window.

[LazyJim]

many times?

I tought it's just sent via POST to the file names in the action property?

[Calisonder]

there we go, keep talkin guys, were getin somewhere, thanks alot

[hatchet]

By many times I mean often the variables can be visible..
with php it hides them as a server side function. It could be standard security / authorization script found at hotscripts..

[DragonEye]

I have made a system that doesn't use .htaccess but i'm pretty sure it works for a 100%

I made it for the controlcenter of my website. I have a script on every page (with an include) that checks for a username and password in the database. The password and username from the login form are stored in a PHP session. I have made sure that cookies don't have to be enabled for it to work.

it's quite complicated though

if you want more info

mail me

grtz

DragonEye

[cltwebs]

Just as an added note...

Sometimes the Web Hosting Provider will have built in password protection built into their control pannel for directories on your site.

[LazyJim]

doesn't .htaccess cause thebrowser to prompt theuser for username and password?
How can you securely have the log-in fields on the page instead of the browser dialogue?