pureMango.co.uk
there's nothing about mangos or purity. It's just a name..Concerned about security? Find great deals on security video cameras to keep watch over your home. A surveillance camera could have a huge impact on your home safety. Keep your home secure with a surveillance camera system.
Generic PHP Password Protection
A PHP script that offers easy to install, secure password protection.
Features:
- Session based password - no need to re-enter
- Can protect multiple files
- Can use multiple passwords
- Optionally emails on incorrect password
- Optionally writes to file on incorrect password
- User definable hammering protection
- Optional session timeout
source - demo1 - demo2
If you like this script, please vote for it on hotscripts.net
User Comments:Who: VLAIS
When: December 20th, 2004
Says: Really great!
Who: duth
When: December 28th, 2004
Says: but you can see in the source tha password!!!!!!!!!!!!!!!!
bye duth
Who: u24
When: December 30th, 2004
Says: but if someone can see the source, then your security is already compromised...
Who: os
When: January 7th, 2005
Says: hi. great script! but is it possible to implement a simple timeout for the session? for example after 5 minutes without any traffic, the session expires?
Who: u24
When: January 10th, 2005
Says: good idea; done - see code above :-)
Who: SoiL
When: January 12th, 2005
Says: great script :P
Who: The Tyke
When: January 24th, 2005
Says: Works fine for me. Great script!!!!!!!!!!!!
Who: 2xD
When: January 31st, 2005
Says: ow i got it working now :)
until now i can say it the best simple script around i saw (i tried 4 others).
Could you maybe add a hammering protection line, so if you enter a wrong pass 5 times in a row it doest give you a chance to login for 24 hours... ?
sorry for flooding your guestbook.
Who: u24
When: February 1st, 2005
Says: hammering protection... good idea, you might see an update soonish
and don't worry about flooding the guestbook - that's why i have an admin area ;-)
Who: myrtlebchsun
When: February 15th, 2005
Says: Script rocks...thanks!
Who: karen
When: February 17th, 2005
Says: Great script. Thanks!
For those worried about the password shown in the php code, then store the password in a directory outside the public html folder, use your php.ini file to include that folder in the include_path and then reference the externally stored password variable in the above code.
Who: u24
When: February 18th, 2005
Says: or instead of saying
$cmp_pass = md5("password");
calculate the md5 hash (see hash calculator in online tools), and say
$cmp_pass = "c21f969b5f03d33d43e04f8f136e7682";
(replace with your own hash obviously)
but bear in mind that it's fairly easy to brute force an md5 hash (of less than 10 chars)
Who:
When: March 4th, 2005
Says: A total php ignorance. I need some help. I am getting the message:
Notice: Undefined index: pass in index.php on line 16.
---
from u24:
yeah, this is because your PHP is set up to show all errors, even notices. change php.ini's error setting to E_ALL & ~E_NOTICE
(that's from memory, so might be wrong, but just search php.ini for 'error' and the comments will explain all)
Who:
When: March 12th, 2005
Says: how i can to protect on another page by the Session?
thanks
---
from u24:
two ways, either save the phpPass source as a seperate file, eg pass.php, then in all pages you want to protect
include("pass.php");
at the top
or paste the phpPass code on all pages.
(the first method is the best)
Who: Fergus Raphael
When: March 30th, 2005
Says: Fantastic script. I have a complex site in the works, but only a couple of people will ever use the CMS updater I built. This way I can focus on all the other scripting I'll need to make work, and not have to spend a day configuring member tables and all that mess just for a couple of admins to use.
---
from u24:
exactly the kind of use this is designed for - glad you've found it useful :-)
Who:
When: April 11th, 2005
Says: Great script i cant see the password in teh source code???? but when i log in and go to look at that page again e.g. refresh the page i got to login in again. no nother probly better if its like that thanks anyway
Who:
When: April 11th, 2005
Says: Hey, what about hammering protection... ,
February 1st is already way back... :(
anyway, it's a cute script , I'll use it !!!
---
from u24:
yeah I know, but I have too much other work. It will come though. oh yes, it will come...
Who:
When: April 12th, 2005
Says: Hi works great but as noted above if you refresh the page you have to login again. Great BUT if instead of logging in you press 'back' in browser youre in again. Also if you logout with the script you supplied and then press back in browser twice youre also back in. Is there anyway round this please? Thanks.
---
from u24:
when you press back, the browser simply takes the page from its cache; if you refresh, it should give the login screen again (unless you repost the password)
You could modify the script to send a Pragma: nocache header, but I'm not sure if all browsers would comply.
Who:
When: April 13th, 2005
Says: Thanks I'll look into that!
Who:
When: April 27th, 2005
Says: I don't think I'm a stupid person, but I just can't get this to work. I put a hyperlink where it says... "Your protected stuff goes here".... but I just can't get this to work.
So is it correct that you paste the entire code into an html document and save it as php. I'm using dreamweaver, so maybe I am a stupid person. I did a chmod to 777 hoping that was it, but still no luck. The page shows, and I've changed the password, etc... but nothing opens up after inputting the password. ???
---
from u24:
are you sure your server supports PHP? if you're only running the code locally, (eg the address of the page doesn't start with http), then it won't work.
Who:
When: May 8th, 2005
Says: It's a great script!
Can we add an alert generated upon submitting an incorrect password?
---
from u24:
good idea, will do at some point.
Who: LiQUID
When: June 16th, 2005
Says: thanks dude, you rock!
Who:
When: June 22nd, 2005
Says: great effort.thanx
Who: Guy
When: July 8th, 2005
Says: I'm having a problem running this tidbit of code with your password protection page:
setcookie("cookie", "value", time()+45);
It tells me the header info coudnt be altered.. Is there any way around this?
---
from u24:
I can't see why it should cause that problem; if it's giving you the password form, it exits and your code won't be run, if not, nothing is output, so your code should run fine; could you email me a copy of the file you're trying to get to work?
Who:
When: July 18th, 2005
Says: Cool simple script!
How could we add a message when you dont type the password right?
---
from u24:
change:
// and exit
exit();
}
to:
// and exit
exit();
} else {
echo "bad password";
}
Who: Shao
When: July 20th, 2005
Says: Oh, I love you for this simple and great scirpt. ^^ Easy to use and great to protect sites! ^_^
Thank you!
Who: Alan
When: July 20th, 2005
Says: Can this be added to HTML files or ASP files on servers with PHP support. Or can this only be used with web pages built sing PHP
---
from u24:
it'll only work on servers that support PHP.
Who: joe
When: July 22nd, 2005
Says: this is great - everything else I tried didn't work.
Who:
When: July 24th, 2005
Says: I hate to be so dumb, but I couldn't get this to work. This is the source code I used for the page. I'm not sure where to change the password, but tried the default and that didn't work. Can you help dummies?
---
from u24:
change:
$cmp_pass = md5("default");
to
$cmp_pass = md5("YOURPASSWORDHERE");
and it should work :-)
Who: Michael
When: August 16th, 2005
Says: Can this be used to use multiple passwords? They would go to the same page, but I want to allow two different passwords.
---
from u24:
Good idea; I've added this and more to the latest version - redownload it and check it out :-)
Who: leah
When: August 21st, 2005
Says: I was wondering if it is possible to integrate random password generator into this... the reason being, i want to password protect multiple pages using a script such as this, but i want to change the password often and i don't want to do it manually. i tried integrating random password generator, but it only works for the first page, and as soon as you move on to the next page, the login window appears even though the session hasn't expired.
w/ my limited knowledge, i'm stuck. do you have any idea as to how to implement this idea? i'd appreciate any help i could get.
Who: leah
When: August 21st, 2005
Says: sorry for two posts in a row, but i wasn't being very clear in the above post...
what i meant by that was, that i don't need my password to be a secret, but rather i want it to be dynamic (a different password is used every time you try to log in), so it really doesn't matter whether the password is kept secret or not. i'm thinking of using this script as "a gate" to my protected pages... so someone won't access my files illegaly (they have to go through 'the gate' if they wish to access them). i don't know if i'm making any sense to you, but if you could help me, i'd appreciate.
---
from u24:
not sure how easy this would be; if the password is randomly generated, the script would need some way of remembering the random passwords.. it sort of defeats the object. My suggestion would be to just add a few extra passwords and change them every month or so...
Who: Tim
When: August 28th, 2005
Says: This is excellent work! After having recently seen how easy it is for me to write scripts to brute force my own basic auth protected directories, I've been scouring about looking for ways to guard against unauthorized access. I would suggest, though, adding a Captcha method to further guard against the machines.
---
from u24:
It would be fairly easy to add freeCap to this; see the 'php mysql projects' page
Who: Michael
When: September 5th, 2005
Says: Can the form be altered so that one password takes you to one page and the another password takes you to a second page?
---
from u24:
yes, this would be a fairly easy addition, try doing it yourself, and feel free to email me if you have problems.
Who: u24
When: September 7th, 2005
Says: on further inspection, the redirection for different passwords turned out to be a bit of a tricky one - expect updated code soon.
Who: alia
When: September 27th, 2005
Says: I've implemented this script on a couple pages (including the separate pass.php file on each page) but it still prompts me to re-enter a password for each page before all are readily accessible. Also, the password page doesn't act as a pop-up, it loads as it's own page in the current browser. How do I change these things?
Who: alia
When: September 27th, 2005
Says: PS: ignore the bit about it being a pop-up. i am an idiot :)
Who: Michael
When: September 28th, 2005
Says: Any luck getting the redirection for different passwords to work?
Who:
When: September 28th, 2005
Says: I keep getting the following error after I fillout correct password, can you please help:
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /data/home/bluefish/WWW/index3.php:3) in /data/home/bluefish/WWW/index3.php on line 5
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /data/home/bluefish/WWW/index3.php:3) in /data/home/bluefish/WWW/index3.php on line 5
Thanks
Line 5 is: session_start();
THANKS,
Taree
Who: u24
When: September 29th, 2005
Says: I will answer all these questions in about a week from now - sorry, I just don't have time right now :-(
Who: u24
When: October 13th, 2005
Says: ok..
I will write code to allow different passwords to go to different pages.. just not yet. If I haven't done it before mid-november, give me a yell.
alia: try typing the following minus quotes: "javscript:alert(document.cookie);" into one of the pages after you've tried entering the password; it should give you a session-id (PHPSESS=dhaasdjksahdjksahd) if not, it's a session problem, try looking at php.ini for session options; maybe you've not got them enabled. If you do get a session id in the cookie, try loading a file with the following data:
and email the results to me along with your OS, the server OS, your browser and version- your problem sounds rather odd.
taree:
make sure line 1 is session_start - if php outputs anything (via echo, print, etc) the session won't start properly and php will throw an error.
Who: u24
When: October 13th, 2005
Says: alia: sorry, typo and ambiguity.
type "javascript:alert(document.cookie);" into the address bar of your browser after you've tried entering the password.
Who:
When: November 23rd, 2005
Says: Hi,
How are you going with the multiple password/multiple destination thing? I have absolutely no idea what I'm doing, so you'd have to do it for me, if you would be so kind!
In case you're wondering what I'm blathering about, I want different people to visit the login and then, when their password is correct, they are directed to their own personal page.
Thanks!!
Watto
Who:
When: November 29th, 2005
Says: Okay i'm really stupid and this isn't working at all, this is the page I want protected for now while i practice http://thefinalage.5gigs.com/little pass thing
Although I don't really know how to use php all I did was but and close it in certain spots
---
from u24:
I don't think that'll work; try using the standard php open/close tags: see http://tinyurl.com/bztgb
Who: scoob8000
When: December 7th, 2005
Says: Really nice work! A very small, flexable script to do exactaly what I needed without all the extra bloated stuff others come with!
I also commend you on your use of comments in your code. Keep up the good work!
---
from u24:
:-D thankyou, you've put a smile on my face.
"without all the bloat" is *exactly* what it's intended to be. A password script for people who simply want a password script. :-)
Who:
When: December 31st, 2005
Says: Hey. I really like this script, but I'm having a problem. I'm using it ontop of another password protected page; this script work fine, and I am able to log in to the second pass, but whenever I go to a new page, it says to login again... and it loops like that. Any ideas? Thanks.
---
from u24:
it might be a conflict in variable names; try renaming all the session variables from one of the scripts.
Who:
When: May 16th, 2006
Says: Hello,
Great script It's just what I need.
But a userername and pasword would be more safer.
Also the use of sha1 in place of md5 is more safe.
thank you for the great script
---
from u24:
Good idea, but I wanted to keep it as simple as possible - I coded it for my own needs, and was annoyed that all the PHP password scripts out there were fully blown "website access managers" with a gazillion 'features' that you don't need.
I just wanted a simple no fuss no bloat password script, so that's what this is.
That said, yeah, a future version will include user/pass possibilities.
Who:
When: May 27th, 2006
Says: Another great script and works flawlessly!!
Just wondering how I could make the .ht_badlogins log file readable from another webpage and make it a passworded page?
I tried giving the log file a .php extension and including the pass.php file, but it does not write the logs to the file then.
---
from u24:
you could do something like this in a new fie:
include("pass.php");
echo file_get_contents(".ht_badlogins");
:-)
Who:
When: May 28th, 2006
Says: Very nice! Works like a charm.
Thankx!
Who:
When: July 27th, 2006
Says: Fine looking script indeed! I'll try this baby out ASAP.
Who:
When: July 29th, 2006
Says: WHEN THE SCRIPT IS ONLINE, YOU CAN'T SEE THE SOURCE OF PHP. PHP IS INVISSIBLE FOR VIEWERS ONLINE. SO VERY SAFE.
Who: Pal
When: October 23rd, 2006
Says: Hi!
This seems to be a very good security script, thank you!
I'm planning to use it on my new website. I was wondering (cause I don't know much about it): would it be secure enough for the site to resist a hacker's patient attack?
I'm concerned about that.
I've read that sha1 hashing is stronger than md5, is it true on the web too?
If it is, other than suggesting you to use sha1 method on this script, I was thinking: could it be easy and enough to add a random text string to the password via php, so that the pw+string will be more than say 15 chars to be md5-hashed?
A long-enough semi-random per-session password would give us the best security, isn't it so?
Let us know, howard you're the best!
Pal
---
from u24:
It all depends how patient and skilled the hacker is. Don't use it to protect military/governmental secrets, do use it to protect your online diary.
For things that need to be ultra-secure, consider storing them offline, encrypted by gpg.
From a hacker's viewpoint, the best option would probably be compromising another part of the website in order to reveal the password (or PW hash).
MD5 hashes can be cracked in a few hours, dependant on length, and there is an online hash cracker here: gdataonline.com
I don't know enough about SHA1 to comment, except to reiterate what you said: I've heard it's more secure.
yours,
-h.
Who: Lazarus
When: January 5th, 2007
Says: Very nice.
But how to stop asking for password after every "back"?
I'm is new in PHP and can not understand all in code, yet.
Who:
When: January 7th, 2007
Says: I'm just a beginner in this field. I have made a web site where I want to keep the tracks of how many people have visited my website. It's really a small scale three to four pages.
What I want is, to save the entered password and email id somewhere in the computer is that possible ?
I would be thankful if you could help me out.
If you could find the solution could anyone email me on my hotmail id.
---
from u24:
search for howto articles about saving to text files, look up fwrite().
Who:
When: January 18th, 2007
Says: Thanks so much for this script! I know it's been said before but you did a really nice job and I appreciate it!
P.S. Any luck with the whole "different passwords, different pages" thing?
Thanks Again,
Daniel
---
from u24:
thanks for your comments.
I haven't even tried updating it yet. I'm really busy as always, sorry.
Who:
When: January 21st, 2007
Says: Not a problem at all! Thanks again for the original script.
Daniel
Who: cig
When: January 31st, 2007
Says: how do i add the file to my html web page
do i need to save the file to be protected as php file?
---
from u24:
yes :)
Who: cig
When: February 1st, 2007
Says: why do i get bad password if i put the password info in a file by itself and then include it in the rest of the code
eg can i do this
$cmp_pass = Array();
$cmp_pass[] = md5("default");
$cmp_pass[] = md5("another");
can this be in a file by itself?
---
from u24:
yeah, if you call that settings.php
you can have password.php include settings.php before the rest of the password code, and then have the page you want to protect include password.php.
Who:
When: February 8th, 2007
Says: Thanks for the script! Was using htaccess, but needed something that had a timeout.
Who: tepee
When: February 22nd, 2007
Says: Can this script be used with a CMS that is dynamic, meaning only the index.php file exists on the server. All other pages are pulled from a MySQL database and created as called by our browsers. I don't want to protect my index.php, I want to protect a dynamic page from the database. Therefore I can't add anything to the top of the page because it doesn't exist yet!! Is this clear?
thanks
---
from u24:
if you mean that URLs look like this: index.php?page=4 then yes, you can use it; just put it at the top of index.php
otherwise, I'm not sure what you mean.
Who: teepee
When: February 26th, 2007
Says: It works fine on my index.php page but how do I get it working on another page, let's say, mysite.com/members-area/ , where this url does not have an index.php page, it's content is in the database only. Can I tell your script to intercept calls to that url only?
Thanks
---
from u24:
still not really understanding what you mean by the content is in the database only; there must be a page that pulls the data from the db and presents it to the browser as html - put the password script there...
email me with an example if you like.
Who: teepee
When: February 28th, 2007
Says: Hi again
Yes, the index.php page pulls everything from the database. I put your script there and it does protect index.php when I access it in the browser. So I type in my password then I can access all pages in my menus.
Modrewrite is used extensively in this cms (sNews) so if your an htaccess guru I can post this file and you can see what it's doing.
php_value session.use_trans_sid 0
RewriteEngine On
#RewriteBase /sNews15
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*) $1 [L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)$ index.php?category=$1 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?category=$1 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z_]+)/([^/]+) index.php?category=$1&title=$2 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z_]+)/([^/]+)/([^/]+)/ index.php?category=$1&title=$2&commentspage=$3 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z0-9_-]+)/([0-9]+)/ index.php?category=$1 articlespage=$2 [L]
There you go. All urls are rewritten using the RewriteRules to make them Search Engine Friendly. I'm not sure if this will help or not.
Somehow index.php is processing the request for all urls and pulling them from the database, so how we can intercept certain ones is what I'm trying to achieve.
Like I said, I can only add your script into index.php which then enables all pages pulled from the dB.
teepee
Who: u24
When: February 28th, 2007
Says: I think I understand what you're trying to do, but without seeing the code for index.php I can't really help; if you want index.php to only give the password when a certain variable is sent (eg via mod_rewrite), then just put the include in an if statement to that effect, eg:
if(isset($_GET['category']))
{
include("pass.php");
}
Who: teepee
When: March 1st, 2007
Says: Thanks for your reply. Your suggestion may be the answer. Here's the index.php code. It's very simple. Basically the sNews php functions are included here. See if you can determine where to add your suggested code.
Categories:
New comments:
New Articles:
Barbecued by sNews �
Thanks
tyee
Whoops, I see php/html code is not allowed.
I might have to email it to you.
Who: teepee
When: March 1st, 2007
Says: Well I'll try and comment out the php/html and see what happens again, if it doesn't work I can give you a link to a jpg of the file.
Thanks
tyee
Who: teepee
When: March 1st, 2007
Says: Well I made a tinyurl for the jpg of the code.
http://tinyurl.com/3ye53e
See what you think
Thanks
tyee
Who: Shudson8472
When: March 2nd, 2007
Says: I quite like your script and have it working
on my site/page
Just a quick question How is it possible to to send/redirect the user to another page if they type the wrong password instead of just going back to the login screen
Thanks for a super script
Who:
When: April 29th, 2007
Says: Hello,
I just installed your script on my pages but now I see that I still need to login to every page within the same folder.
What am I doing wrong?
Thanks in advance, Aleks
---
from u24:
possibly a cookie problem; make sure that your browser accepts cookies.
Who:
When: April 30th, 2007
Says: It does accept cookies.
I tried with several browsers & several PCs. :(
Any other idea?
---
from u24:
then it might be a problem with sessions on your server; try doing var_dump($_SESSION) at the top of each page so you can see what, if anything gets put into the session. once you've logged in, the session should reflect that on every page.
Who:
When: May 6th, 2007
Says: Good day. Excellent script! Question: How would you modify said script to request username (in addition to password) and THEN dynamically pass (read inject) the said username and password as variables into the target html page page to be served? I am a newbie.
Reason for asking: I am working an a project that would benefit from this type of functionality. Thanks very much in advance.
---
from u24:
take a look at my HTTP header tutorial, that'll probably help.
Who: lsw
When: June 1st, 2007
Says: WOW! A great and simple script which performs as advertised! Thanks. You may have already had this comment, but it is so simple to protect your whole site if you are using an include("header.php"); page on all your pages. I just created a pass.php page with your EXACT script, then put an include("pass.php"); at the very top of my header page, and BANG - it protects every page, and lets you enter every page once the password is entered.
Thanks again for the simple, effective script.
---
from u24:
thankyou! I'm fairly happy with it, though a future version might use HTTP authentication, just to look cool.
Who:
When: July 7th, 2007
Says: I am an extreme newb to php and am wondering if there is anyway that I could make it so this script would protect an entire directory, without each page being php, and having a line of code injected into it I am in need of something that would protect the directory of all of my log files, which are all automatically created daily and in plain text and having hundreds already, I am hoping there is a way for the entire dirrectory
---
from u24:
no, this script can't do that- look up info on htaccess and htpasswd - that'll do the job for you.
Who: Pete
When: August 5th, 2007
Says: Can you arrange it so that each different password gets redirected to a different URL?
Who: Calum
When: December 29th, 2007
Says: GREAT SCRIPT thanks so much this is an amazing script THANK YOU
Who:
When: January 20th, 2008
Says: Great ideas and stuff. Thank you.
I have modified your "pass" in five ways.
1) Made it stand-alone so protected files only need a lne of
<?php require_once("lock.php"): ?>
at the top.
2) Added the capability, not the requirement, of a user name as well as password, so multiple people can get their own password.
3) Added the capability, not the requirement, of storing the user names and passwords in an external file, for
a) ease of editing outside the code.
b) "hiding" it outside the documentroot structure to prevent accidental serving it. Although it is a real PHP file, so if it is served it is blank.
4) Put the HTML code into a PHP heredoc quoted block.
5) Added comments and a Usage block.
(Plus some minor "clean-up" -- always in the eye of the beholder!)
I release my changes under the GPL.
So, here is my "lock.php". I have changed all the opening angle brackets of tags to the entity "& l t ;" .
Jeff Hennick
<?php
/************************************************************
*
* PHP Pass Copyright 2005 Howard Yeend
* www.puremango.co.uk
*
* This file is part of PHP Pass.
*
* PHP Pass is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* PHP Pass is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with PHP Pass; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*
************************************************************/
/************************************************************
Usage:
Edit this file for the user definable variables values you want.
Edit / Add user names and pass words.
Recommended: use the external file for ease of maintance;
and save that file outside of the document_root so it can not be
served accidentally.
User names and passwords are case sensitive.
They may contain any keyboard charactes except double quote (") and backslash ().
User names and passwords will have leading and trailing spaces removed.
User names and passwords are separated by a single space.
This file must be in the directory of the protedted file(s).
Protected files must have an extension of ".php" and not ".htm" or ".html".
Protected files must have this as the first line:
< ?php require_once("lock.php"); ? >
(No spaces around the "?"-marks.)
(If you rename this file, change the above to this new name.)
************************************************************/
$cmp_pass = Array();
//--------------------------
// user definable variables:
//--------------------------
// maximum number of seconds user can remain idle without having to re-login:
// use a value of zero for no timeout
$max_session_time = 5;
// type of alert to give on incorrect password:
// eg:
// $alert = "joe@foo.com"; - sends email to joe@foo.com
// $alert = "blah"; - appends to file named 'blah'
// $alert = ""; - no alerts
$alert = "./.ht_badlogins";
// acceptable passwords:
/* Load an external file of password(s). For maximum security, this should be outside the "Document Root" directory.
That file MUST begin with < ?php and end with ? > (No spacesarounfd the "?"-marks.)
The other lines are:
$cmp_pass[] = "password";
or
$cmp_pass[] = "use_name password";
Notes: No spaces at beginning or end. ONE space between user_name and password.
Both user_name and password may have internal spaces.
Each may have any keyboard characters but double-quote (") and backslash ().
Upper and lower case is respected.
The semi-colon (;) at then of each line is manditory
There is no complaint if the file does not exist, but there may be if it is not good PHP code.
Change "path/to/external/keys_file.php" to your file and its path.
*/
include_once("path/to/external/keys_file.php");
// passwords may also be here. They are not so safe and harder to change. These should be changed or commented out.
$cmp_pass[] = "default";
$cmp_pass[] = "another_password";
// add as many as you like
// maximum number of bad logins before user locked out
// use a value of zero for no hammering protection
$max_attempts = 3;
// time delay between bad logins. In seconds. This is added for each attempt.
// use a value of zero for no hammering protection
$time_delay = 3;
// session name. Needs to be changed only if using multiple sets of documents and passwords.
$sess_name = "m_pass";
//-----------------------------
// end user definable variables
//-----------------------------
session_start($sess_name);
// Hash the passwords before they go into $_SESSION
function myMd5(&$value,$key) {
$value = md5(trim($value));
}
array_walk($cmp_pass, "myMd5");
// save session expiry time for later comparision
$session_expires = $_SESSION['mpass_session_expires'];
// Clear the message
$_SESSION['mpass_msg'] = '';
// have to do this otherwise max_attempts is actually one less than what you specify.
$max_attempts++;
if(!empty($_POST['mpass_uname']) || !empty($_POST['mpass_pass']))
{
echo "<br>changing:{$_POST['mpass_uname']}!!{$_POST['mpass_pass']}!";
// store md5'ed password
$_SESSION['mpass_pass'] = md5(trim(trim($_POST['mpass_uname']) . " " . trim($_POST['mpass_pass'])));
}
if(empty($_SESSION['mpass_attempts']))
{
$_SESSION['mpass_attempts'] = 0;
}
if(empty($_SESSION['time_delay']))
{
$_SESSION['time_delay'] = 0;
}
// if the session has expired, or the password is incorrect, show login page:
if(!in_array($_SESSION['mpass_pass'],$cmp_pass) && ($max_session_time>0 && !empty($session_expires) && mktime()>$session_expires) || empty($_SESSION['mpass_pass']))
{
if(!empty($alert) && !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
// user has submitted incorrect password
// generate alert:
$_SESSION['mpass_attempts']++;
$_SESSION['time_delay'] += $time_delay;
$alert_str = $_SERVER['REMOTE_ADDR']." entered ".htmlspecialchars($_POST['mpass_pass'])." on page ".$_SERVER['PHP_SELF']." on ".date("l dS of F Y h:i:s A")."rn";
if(stristr($alert,"@")!==false)
{
// email alert
@mail($alert,"Bad Login on ".$_SERVER['PHP_SELF'],$alert_str,"From: ".$alert);
} else {
// textfile alert
$handle = @fopen($alert,'a');
if($handle)
{
fwrite($handle,$alert_str);
fclose($handle);
}
}
sleep($_SESSION['time_delay']); // Give them some time to wonder if the guess worked.
$_SESSION['mpass_msg'] = "User Name and Password mismatch.";
}
// if hammering protection is enabled, lock user out if they've reached the maximum
if($max_attempts>1 && $_SESSION['mpass_attempts']>=$max_attempts)
{
exit("Too many login failures.");
}
// clear session expiry time
$_SESSION['mpass_session_expires'] = "";
//? >
echo <<<eoq
<html>
<head>
<title>Enter Password</title>
</head>
<body>
<form action="{$_SERVER['PHP_SELF']}" method="post">
<h4>Password Protected</h4>
{$_SESSION['mpass_msg']}
<br>
<br>
User Name: <input type="text" name="mpass_uname">
<br>
Password: <input type="password" name="mpass_pass">
<input type="submit" value="login">
</form>
</body>
</html>
eoq;
// and exit
exit();
}
// if they've got this far, they've entered the correct password:
// reset attempts
$_SESSION['mpass_attempts'] = 0;
// update session expiry time
$_SESSION['mpass_session_expires'] = mktime()+$max_session_time;
// end password protection code
?>
Who: Sam
When: March 15th, 2008
Says: Can you arrange it so that each different password gets redirected to a different URL?
Who: keith
When: April 10th, 2008
Says: I have used the new php but if put anything into a user name field it lets you through? what am i doing wrong please.
Who:
When: May 19th, 2008
Says: Did you ever answer the question by Sam on the 15th of March 2008? - Can you arrange it so that each different password gets redirected to a different URL?
We need to re-direct clients to their own databases.
I am not a programmer but developed a site for a client in GoLive and they now need more security.
---
from u24:
I most likely didn't answer it, no! It can be done, I haven't yet done it. Maybe one day ;)
Who: YanPL
When: May 27th, 2008
Says: it's great that you can merge it with mySQL passwording
Add your comments:* denotes a required field.
Your email address will be converted to an image to prevent spambots picking it up.
