hi guys. I've just got this question. I've been given a task to make a login page (user and pass) to protect a certain folder on the server. Now, I've been searching for a JavaScript solution to do that, but it seems that someone who knows the exact link can skip the login page by entering the address manually in the bar. The solution I'm looking for is something that would make any file in the certain folder inaccesible as long as a user and a password is not entered. Php might be the answer, and since I don't have the vaguest clue on how to do it, I turn to you. So, can it be done, and if yes, how ?
Thanks in advance.

php could do something like this, but it would be more work than just setting up a .htaccess file... look for the script on dynamicdrive main.

edit: just saw your other thread.

yes, it's possible to code a php setup that will not let people access stuff, but it'll be complex, and won't work for files... just .php pages (and MAYBE with some really complex coding, files could be protected, but they'd still be available with the right direct link).

JS is totally unsecure and would be stupid. Just turn off the JS in a browser, and there you go. It won't do it.

hopefully pointing you in the right direction...

So basicly the .htaccess file seems to be the only ... option to do this, other than purchasing some expensive and complex software ?

Do you need to limit access to other filetypes as well?

It is possible in php, but it would be pretty complex.

If you can use .htaccess, do it...

Maybe learn cgi... surely there's some options there.

check with your host. they might have some options.


Ok... php:
1. You need to develop a password system/login system/whatever. That's fairly easy... just figure out what you want. Use cookies or sessions, etc.
2. Now assume you've got a valid verification of login script at the top of a php page.
3. php pages will be EASY... just put that at the top, ending it with "else die;" and it'll not output anything after that.
4. For FILES, you will need to put them in an inaccessible directory (one below the public_html) or something... since you can't use .htaccess, you might not have or be able to make one. Check if you've got one that's only on the server that can't be just linked to. Then your files are secure.
5. Use php to get the file's data, then send to the user.
*something* like:
file('../file.ext')
Then output that, including a mime-type code and stuff so the browser will know it's an image, or it's a.... whatever.


This is a huge amount of coding, for basically every file, with lots of bugs that will come up.


Why doesn't .htaccess work?

It is possible in php, but it would be pretty complex.Nonsense.
<?php
if($_POST['user'] == "correctuser" && $_POST['pass'] == "correctpass") {
header("Content-Type: application/x-pdf");
readfile("realpdffile.pdf");
} else {
?>

<html>
<head>
<title>
Unauthorized
</title>
</head>
<body>
<p>
HAH, WRONG!
</p>
</body>
</html>

<?php } ?>However, you'd still need to fiddle with the config to parse the .pdf file as PHP, so you might as well stick with .htaccess.

It'll get complex if he's doing this for an entire directory of files, assuming there are a bunch.

but, yeah, that actually isn't that bad. :)

Well ... unfortunately php is kinda of out of the question since what I need to protect are some generated html reports. Converting everything to php ... just to get the protection ... that's just not worth...

"Just not worth it"

Well... that's fine.

But you won't get it to work if you don't.

Or you can use .htaccess, but you said that didn't work.

Dunno what to tell you. There's no easy way out of this.

I can see that. :( I will either change to apache ... or go to the php solution...
Why I've said it's not worth is because I have 300 html pages, and that means inserting code into them all. Can you guys take a look at this http://www.hostmysite.com/support/dedicated/IIS/passwordprotect/ ??
Thank you for the help you've given me so far, it was really good, I've learned a lot.

I have no experience with what's on that link... sorry. Seems like it's doing something like .htaccess, or .htaccess itself... setting permissions. Look into that, but I can't really help.

That should work, yes. I'd still recommend switching to Apache, though, simply because it's a better webserver (and free, incidentally).

I will do that ... Just hope my webhosting company can do that ...
Thank you all again for the help.

If I only get the Hah wrong reply means I probably don't have php enabled on the server ?




Nonsense.
<?php
if($_POST['user'] == "correctuser" && $_POST['pass'] == "correctpass") {
header("Content-Type: application/x-pdf");
readfile("realpdffile.pdf");
} else {
?>

<html>
<head>
<title>
Unauthorized
</title>
</head>
<body>
<p>
HAH, WRONG!
</p>
</body>
</html>

<?php } ?>However, you'd still need to fiddle with the config to parse the .pdf file as PHP, so you might as well stick with .htaccess.

It could do, yes. It could also mean that the user and password aren't correct. Try a test like:
<?php echo("You have PHP enabled on your server."); if(false) { ?>
You don't have PHP enabled on your server.
<?php } ?>

You don't have PHP enabled on your server. - Beautifull - By the way ... they refused to change from windows to lunix ... they said it's a different platform and they can't do it. Not PHP is not enabled ! Note to self ... never buy from these guys again.

What's the file extension on that file? It could just be not being parsed as PHP.