Password Protected Page


Does anyone have any tips or links on how to create a simple password protected area? The one i’m using now works fine but once you are logged in and can see the url you can just copy and paste and access the page directly. Here is the Perl Script i’m using now…


use CGI
$cgi = CGI->new();

$username = $cgi->param(‘username’);
$password = $cgi->param(‘password’);

if ($username eq ‘myuser’ && $password eq ‘mypass’) {
print $cgi->redirect(‘myfile.html’);
} elsif ($username eq ‘otheruser’ && $password eq ‘otherpass’) {
print $cgi->redirect(‘otherfile.html’);
} else {
print $cgi->redirect(‘failure.html’);

The basic logic of how to make a simple passworded area using php, well the way I would do it, would be like this:

post html form – username & password

verify against database, get IP and session ID. Make some hash out of the session ID and IP address and put it into a sessions table. Set a flag session variable to mark the user logged in.
So now you have this to verify user logged in:

  1. Session variable logged in - true or false.
  2. Session ID hash (we’ll call it $sid for now)

Then on every page that is protected, first see if the SESSION[‘logged_in’] == true. If not then redirect back to the login.php page.

If it is true, then from page to page you pass the $sid id like this:

So on every password protected page you get that sid ID, then verify it against the sid in the database, with the current session and the IP address of the person accessing that page. If no matches, then send them to the login.php page…

This is kind of how phpBB does it.

So what you are missing is there is no way to verify whether the user is logged in or not on the password protected pages. The simplest is to just set some sessioin variable after you login so that it checks to see if that flag is marked true. But that is pretty easy to break thru, so using a Session ID with an IP address makes it a little more tougher.

is there a simple way to do it with .htaccess? or is there a way to improve upon my script?

.htacces can be very secure… and is not hard to add. But like the way you wrote that perl. that is not a smart idea. (meaning, storing the usr / pw in the file itself )

is there a way to use htaccess and htpassword in conjunction with a form so i dont have to use the browser one?

Not securely, as you would be passing the form data in plain text to the server.

but htaccess is secure even if u aren’t using https?

But if you don’t use the default apache user / password prompt you do this:
http://user:[email protected]

i don’t understand what you mean

You can do access verification in Perl if you like.

Basically it involves this:

  1. Check if the browser has provided a userid/password set. It’ll be in $ENV{‘HTTP_CGI_AUTHORIZATION’}
  2. If no userid/password is present, ask for one by sending a reply with status 401 Authentication required
  3. If a userid/password set is present, verify that they’re valid and show the page. If they’re not valid, show a page that tells the user that access is denied.

I’ve done this in PHP once, but never in Perl…