What is the best way to password protect folder/page using php without a db or username

Question

What is the best way to password protect folder using php without a database or user name but using. Basically I have a page that will list contacts for organization and ne

Answer 1

Assuming you're on Apache:

http://httpd.apache.org/docs/1.3/howto/htaccess.html#auth

Answer 2

Well since you know it's insecure to begin with, you could store a password in a text file somewhere on your web server. When someone accesses the page you could show a form that asks for a password. If the password matches what is in the text file, then you reload the page and display the information. Using the text file will allow you to change the password without having to modify the page they are accessing when you want to change it. You're still going to be sending plaintext everywhere unless you're using SSL. Let me know if you need some code.

Answer 3

If you want to avoid cookies, sessions and don't want to play with .htaccess files, you can also do http authentication soley with PHP:

http://www.php.net/manual/en/features.http-auth.php

You can hard code the password into the file and change it as needed, or include it from a file not in your web_accessible directory.

The downside is you don't have the ability to format the "login" screen - it will be a standard http authentication dialog box

Answer 4

I doubt if this would count as the best wasy of doing it, but it would work. And since security doesn't seem to be a big issue for you, the fact that this way's as insecure as hell probably won't bother you either.

Have a login.php page that takes a password and then sets a cookie if the login details are correct. Each php file can then check for the existence of the cookie to determine whether or not the user is "logged in" or not, and display information accordingly.

login.php
...
if(isset($_POST['password']) && $_POST['password'] == 'my_top_secret_word') {
    setcookie('loggedin', 'true', time() + 1200, '/url/');
} else {
    setcookie('loggedin', 'false', time() - 1200, '/url/');
    // display a login form here
}
etc

each "protected" page would then check for this cookie:

if(isset($_COOKIE['loggedin'])) {
    if($_COOKIE['loggedin'] == 'true') {
        $showHidden = true;
    } else {
        $showHidden = false;
    }
} else {
    $showHidden = false;
}

I'm sure you get the (highly insecure) idea ...

Answer 5

You could use something like this:

//access.php

<?php
//put sha1() encrypted password here - example is 'hello'
$password = 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d';

session_start();
if (!isset($_SESSION['loggedIn'])) {
    $_SESSION['loggedIn'] = false;
}

if (isset($_POST['password'])) {
    if (sha1($_POST['password']) == $password) {
        $_SESSION['loggedIn'] = true;
    } else {
        die ('Incorrect password');
    }
} 

if (!$_SESSION['loggedIn']): ?>

<html><head><title>Login</title></head>
  <body>
    <p>You need to login</p>
    <form method="post">
      Password: <input type="password" name="password"> <br />
      <input type="submit" name="submit" value="Login">
    </form>
  </body>
</html>

<?php
exit();
endif;
?>

Then on each file you want to protect, put at the top:

<?php
require('access.php');
?>
secret text

It isn't a very nice solution, but it might do what you want

Edit

You could add a logout.php page like:

<?php
    session_start();
    $_SESSION['loggedIn'] = false;
?>
You have logged out