SitePoint Sponsor

User Tag List

Results 1 to 11 of 11

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP password protecting a page problem

    I have been using a basic php script to password protect some pages on a site and it's been working well. The page that I want to protect has a 'require_once();' statement at the top, which references an "authorize.php" script, which I've included below.

    Previously with each web client I would buy them their own shared hosting account at my hosting company, but I recently made a change and bought unlimited hosting. With this I can install all of the domain names that I work with in sub-directories within my parent, or public, directory. The domain names now point to their respective folders within my top-level directory. The problem I'm running into is that the password protect script stopped working. It now behaves as if I'm entering the wrong password. Here's what I use, no doubt it's very familiar to you all (keep in mind I'm a complete beginner and easily overwhelmed by an explanation that's not "newbie friendly"):

    <?php
    // User name and password for authentication
    $username = 'username';
    $password = 'password';

    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
    ($_SERVER['PHP_AUTH_USER'] != $username) || ($_SERVER['PHP_AUTH_PW'] != $password)) {
    // The user name/password are incorrect so send the authentication headers
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Basic realm="Banjos Rule!"');
    exit('<h2>Banjos Rule!</h2>Sorry, you must enter a valid user name and password to access this page.');
    }
    ?>

    Now when I try to access the page that's protected, I get the standard pop-up box for entering usernames and passwords, but it doesn't recognize my password. It just keeps returning an error, although the password is right there in the script. Here's the path of the file:

    "www.topleveldomain.com/piggybackeddomain_folder/file_being_referenced.php"

    Any ideas on why it won't recognize my password? Thanks for your help.

  2. #2
    SitePoint Enthusiast premiumscripts's Avatar
    Join Date
    Aug 2009
    Location
    PremiumScripts.com
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try changing the script so it shows what it wants you to send (don't do this on your client sites though)

    Put this at the top of the script until the problem is fixed:

    PHP Code:
    error_reporting(E_ALL);
    ini_set('display_errors'1); 
    Put this above exit("<h2>..."); is:

    PHP Code:
    echo "<p>Username: {$_SERVER['PHP_AUTH_USER']} versus $username OR password: {$_SERVER['PHP_AUTH_PW']} versus $password</p>"
    die(); 
    This is just for testing, so reply with the output in this thread.

  3. #3
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks so much for contributing. Here's the new 'authorize.php' script, which I show to make sure I set it up correctly per your instructions:

    <?php
    error_reporting(E_ALL);
    ini_set('display_errors', 1);
    // User name and password for authentication
    $username = 'banjopaul67';
    $password = 'test';

    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
    ($_SERVER['PHP_AUTH_USER'] != $username) || ($_SERVER['PHP_AUTH_PW'] != $password)) {
    // The user name/password are incorrect so send the authentication headers
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Basic realm="Banjos Rule!"');
    echo "<p>Username: {$_SERVER['PHP_AUTH_USER']} versus $username OR password: {$_SERVER['PHP_AUTH_PW']} versus $password</p>"; die();
    exit('<h2>Banjos Rule!</h2>Sorry, you must enter a valid user name and password to access this page.');
    }
    ?>

    I tried to access the page again, and this is the output in the error message:

    Notice: Undefined index: PHP_AUTH_USER in /home/content/s/t/e/steampower/html/banjos_rule/authorize.php on line 13

    Notice: Undefined index: PHP_AUTH_PW in /home/content/s/t/e/steampower/html/banjos_rule/authorize.php on line 13

    Username: versus banjopaul67 OR password: versus test

  4. #4
    SitePoint Enthusiast premiumscripts's Avatar
    Join Date
    Aug 2009
    Location
    PremiumScripts.com
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I tested this script locally on my pc and it worked fine. You did enter the username and password and you still get that error message? Add an else statement at the end of the script which just has echo "ok";

  5. #5
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The script used to work fine but like I said at the top of this thread, I made a server change and now have this particular website's files in sub-directory of my main directory on the GoDaddy servers, with the domain name pointing at this sub-directory folder. But no the script is no longer working right. (I have the same script in another dedicated hosting account, and it works fine there. It also worked fine here until I nested my directories.) Again, the path to this file that isn't working:

    "www.topleveldomain.com/piggybackeddomain_folder/file_being_referenced.php"

    The "file_being_referenced.php" has a 'require_once('authorize.php'); statement at the top, so that when I try to access the file, it calls up authorize.php. As you would expect, a pop-up box appears asking for username and password. I fill in the info, but the box won't disappear, it just sits there as it would anytime you enter the wrong username or password. So it acts like I'm using the wrong username or password. Only when I go ahead and hit the cancel button am I able to ouput the error messages that I referenced above.

    So I added the else statement with the echo, but nothing changed. The password entry box still just sits there like I'm using the wrong username or password. Once I hit cancel, the same errror messages are outputted. Any ideas?

  6. #6
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you would like to see the error in action, go to www.banjosrule.com, and at the very top of the page, under the scrolling marquee, you'll see a hyperlink that says "admin". Click on admin and a username/password box will open. I have the username set to "test" and the password set to "test". Enter both and see what happens.

  7. #7
    SitePoint Enthusiast premiumscripts's Avatar
    Join Date
    Aug 2009
    Location
    PremiumScripts.com
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When I try it on your site, I don't even get a popup box and simply go directly to your admin page. Are you sure you are calling the authorization file? (require)

  8. #8
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi premiumscripts, sorry about that. I thought the thread went cold and so I removed the require() statement from the file so that I could peek into the database. Check it out again...the admin link is now white and easy to find. I have the username set to test and the password set to test. Give it a try. Remember that it has something to do with hosting the Banjos Rule account inside my top level domain (Steam Powered Web.) This script works fine when I have it loaded in the top level domain, but not when I nest domains.

  9. #9
    SitePoint Enthusiast glsbrakes's Avatar
    Join Date
    Nov 2007
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I needed to protect certain pages on my website, so I used a Redirect 1.31 from www.mpdolan.com. Free!!!!! It uses a mysql data base for customers and logs there hits. Just a suggestion.

  10. #10
    SitePoint Enthusiast premiumscripts's Avatar
    Join Date
    Aug 2009
    Location
    PremiumScripts.com
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, I did some checking.

    Do you have safe mode enabled? If so:

    As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

    Note: Configuration Note
    PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.

    Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server.
    So, doesn't look like this is fixable in PHP, perhaps it is in apache but I can't help you with that.

  11. #11
    SitePoint Enthusiast glsbrakes's Avatar
    Join Date
    Nov 2007
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The password are in a database in a secure mysql. Never Mind!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •