Encrypted Password script - no good!

[Poontang]

1) Script Title: Encrypted Password script

2) Script URL (on DD): http://dynamicdrive.com/dynamicindex9/password.htm

3) Describe problem:

It seems to work fine - but it is no good if I just write a deeplink to the site I want to protect, i can enter without any problems! Do I miss out on something?

(Exactly what is ment by: Step 4: Finally, insert the code of Step 2 into the proceeding page visitors will login using.)



For expl. my setup:

www.my-domain-name.com/secretsite/index.htm <--- Site with password script
www.my-domain-name.com/secretsite/pass.htm <--- Site to protect (named by the password)

(Domain-name is fiction)

[jscheuer1]

If I understand you, yes you are correct. This type of scheme can only really protect one page, and does so poorly at that. If you want to really protect things using passwords, you must use server side methods.

There are a number of ways to do so, but you must have permission on the host to use (one of):

• PHP
• some other server side language
• .htaccess file(s)
• or possibly other methods your host may have available

This is not my area of expertise though. I can tell you that the type of security for nested pages you can get with each method may be limited by the method itself or how it is applied, but the above should each at least be able to protect one page with near 100% air tight security. Some can certainly be used to protect entire sites, or entire sections of sites.

[traq]

I use PHP for login/access control. The basic idea is like so:
1) choose a password for your page (or even your whole site).
2) use the md5 or sha1 function to generate a "hash" of your password (ex.: <?php echo md5('mypassword'); ?> -that will generate something like 9e107d9d372bb6826bd81d3542a419d6, depending on the password you choose ).
3) nest the content you wish to protect in a conditional statement, like so:

PHP Code:

// check if the user submitted a password
if(isset($_POST['password'])){
   // if so, check if hash of submitted password matches choosen password hash
   if(md5($_POST['password']) == '9e107d9d372bb6826bd81d3542a419d6'){
      // if so, show page content here.
   //  otherwise,
   }else{
      // show an error message
      echo 'WRONG PASSWORD!';
      // and end the script (content is never seen)
      die;
   }
// if the user didn't give a password
}else{
   // show the login form
   echo'
      <form action="'.$_SERVER['PHP_SELF'].'" method="POST">
         Enter your password: 
         <input type="password" name="password">
         <input type="submit" value="Log In">
      </form>
   ';
} 


this is obviously very brief; and not overly efficient, but it give the concept of how to password-protect a php page. Do a google search for "php password script" to find something ready-to-go. Have fun!