modify password script to protect directory instead of individual file

[dpad]

Hi there,

I posted here a few days ago, but another problem has arised. I installed a PHP script (

http://www.zubrag.com/scripts/password-protect.php),

and it works great.

However, I want to protect a few PDF files. Unlike PHP files, I can't obviously can't attach the necessary password include code to the PDF.

Instead, I'm trying to figure out a way to protect an entire folder so that it includes my PDF files. So far, I've had no luck.

The password script is as follows:

<?php

###############################################################
# Page Password Protect 2.13
###############################################################
# Visit [URL unfurl="true"]http://www.zubrag.com/scripts/[/URL] for updates
############################################################### 
#
# Usage:
# Set usernames / passwords below between SETTINGS START and SETTINGS END.
# Open it in browser with "help" parameter to get the code
# to add to all files being protected. 
#    Example: password_protect.php?help
# Include protection string which it gave you into every file that needs to be protected
#
# Add following HTML code to your page where you want to have logout link
# <a href="[URL unfurl="true"]http://www.example.com/path/to/protected/page.php?logout=1">Logout</a>[/URL]
#
###############################################################

/*
-------------------------------------------------------------------
SAMPLE if you only want to request login and password on login form.
Each row represents different user.

$LOGIN_INFORMATION = array(
  'zubrag' => 'root',
  'test' => 'testpass',
  'admin' => 'passwd'
);

--------------------------------------------------------------------
SAMPLE if you only want to request only password on login form.
Note: only passwords are listed

$LOGIN_INFORMATION = array(
  'root',
  'testpass',
  'passwd'
);

--------------------------------------------------------------------
*/

##################################################################
#  SETTINGS START
##################################################################

// Add login/password pairs below, like described above
// NOTE: all rows except last must have comma "," at the end of line
$LOGIN_INFORMATION = array(
  'zubrag' => 'root',
  'admin' => 'adminpass'
);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', true);

// User will be redirected to this page after logout
define('LOGOUT_URL', '[URL unfurl="true"]http://www.example.com/');[/URL]

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 0);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);

##################################################################
#  SETTINGS END
##################################################################


///////////////////////////////////////////////////////
// do not change code below
///////////////////////////////////////////////////////

// show usage example
if(isset($_GET['help'])) {
  die('Include following code into every page you would like to protect, at the very beginning (first line):<br>&lt;?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?&gt;');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>
<head>
  <title>Please enter password to access this page</title>
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
<body>
  <style>
    input { border: 1px solid black; }
  </style>
  <div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">
  <form method="post">
    <h3>Please enter password to access this page</h3>
    <font color="red"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Login:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?>
    <input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Submit" />
  </form>
  <br />
  <a style="font-size:9px; color: #B0B0B0; font-family: Verdana, Arial;" href="[URL unfurl="true"]http://www.zubrag.com/scripts/password-protect.php"[/URL] title="Download Password Protector">Powered by Password Protect</a>
  </div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) 
  ) {
    showLoginPasswordProtect("Incorrect password.");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
    
    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables
    unset($_POST['access_login']);
    unset($_POST['access_password']);
    unset($_POST['Submit']);
  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
  }

}

?>

Any help would be greatly appreciated. I hate being such a newbie, but I just can't figure this out.

 

[feherke]

Hi

The files are served by the web server. If you want that certain files in certain circumstances to not be served, then tell that to the server.

If you use Apache, read Authentication, Authorization and Access Control and/or ask for more in forum65.

Feherke.

http://rootshell.be/~feherke/

 

[jpadie]

i would first look at the link that feherke has provided you and learn how to protect the directory as a whole from web access. this will apply to all resources within the directory.

then read up on serving documents dynamically via php. effectively you are seeking a mini form of document management system. i'm sure that i have posted something similar on this forum in the last 3 or 4 years. it's really just a combination of authentication and authorisation management. note that your script above just handles authentication.

As a side note, you really should not trust any security script unless and until you have dissected it line by line and truly understand what it is doing, how it is doing it and validating that it is doing so in both the way that you anticipate and the way that you want.

 

[dpad]

Thanks guys.

thanks for the replies. The catch is that my client wants a custom login form instead of the default .htaccess login.

Is there a way to redirect a custom php login to .htaccess?

 

[jpadie]

you have not understood my post. try searching as I suggested.

 

[feherke]

Hi

Yep, jpadie mentioned what worth to be mentioned so far.

But if you tell us whet web server are you using, maybe someone knows about alternatives too.

Feherke.

http://rootshell.be/~feherke/