Does anyone have any tips or links on how to create a simple password protected area? The one i’m using now works fine but once you are logged in and can see the url you can just copy and paste and access the page directly. Here is the Perl Script i’m using now…
The basic logic of how to make a simple passworded area using php, well the way I would do it, would be like this:
post html form – username & password
verify against database, get IP and session ID. Make some hash out of the session ID and IP address and put it into a sessions table. Set a flag session variable to mark the user logged in.
So now you have this to verify user logged in:
Session variable logged in - true or false.
Session ID hash (we’ll call it $sid for now)
Then on every page that is protected, first see if the SESSION[‘logged_in’] == true. If not then redirect back to the login.php page.
If it is true, then from page to page you pass the $sid id like this:
sompage.php?sid=$sid
So on every password protected page you get that sid ID, then verify it against the sid in the database, with the current session and the IP address of the person accessing that page. If no matches, then send them to the login.php page…
This is kind of how phpBB does it.
So what you are missing is there is no way to verify whether the user is logged in or not on the password protected pages. The simplest is to just set some sessioin variable after you login so that it checks to see if that flag is marked true. But that is pretty easy to break thru, so using a Session ID with an IP address makes it a little more tougher.
.htacces can be very secure… and is not hard to add. But like the way you wrote that perl. that is not a smart idea. (meaning, storing the usr / pw in the file itself )
You can do access verification in Perl if you like.
Basically it involves this:
Check if the browser has provided a userid/password set. It’ll be in $ENV{‘HTTP_CGI_AUTHORIZATION’}
If no userid/password is present, ask for one by sending a reply with status 401 Authentication required
If a userid/password set is present, verify that they’re valid and show the page. If they’re not valid, show a page that tells the user that access is denied.