I am trying to create a password protected website. Here I want to do if a user first time visit to my website then need to insert password to access my website. First time they entered the password they can freely access my website.
This is how I do it using javascript and php:
<?php if($page == 'index'): ?>
<script language="Javascript">
//prompt.
var password;
var correctPass = "123456";
password = prompt("Enter in the password:","");
if(password == correctPass) {
alert('click OK to view this site');
} else {
window.location = ""
}
//->
</script>
<?php endif; ?>
This is working but my problem is if user go to the index page again they need to insert the password.
can anybody tell me how I fix this issue. Thank you.
I am trying to create a password protected website. Here I want to do if a user first time visit to my website then need to insert password to access my website. First time they entered the password they can freely access my website.
This is how I do it using javascript and php:
<?php if($page == 'index'): ?>
<script language="Javascript">
//prompt.
var password;
var correctPass = "123456";
password = prompt("Enter in the password:","");
if(password == correctPass) {
alert('click OK to view this site');
} else {
window.location = "http://google."
}
//->
</script>
<?php endif; ?>
This is working but my problem is if user go to the index page again they need to insert the password.
can anybody tell me how I fix this issue. Thank you.
Share Improve this question edited Jun 10, 2015 at 8:15 venca 1,2226 silver badges18 bronze badges asked Jun 10, 2015 at 7:26 user3733831user3733831 2,94610 gold badges39 silver badges73 bronze badges 8- you need to save IP address of user in database and check everytime when request will e from same IP. If same then allow else validate. – Deep Kakkar Commented Jun 10, 2015 at 7:29
- 1 for anonymous user, consider storing information in cookie because you have no way remembering which user has entered password but it will be browser dependent then! – Rohit416 Commented Jun 10, 2015 at 7:30
- @DeepKakkar, Can I do this without using a database? thank you – user3733831 Commented Jun 10, 2015 at 7:30
- 1 Hmmm, are you really storing the correct password in javascript ? If so, anyone can see it with firebug and then enter freely... – Random Commented Jun 10, 2015 at 7:31
- 1 You should read a good book about security on web applications, because your starting point suggests that you don't have really good idea of how things are supposed to work... imho. – Masiorama Commented Jun 10, 2015 at 7:33
3 Answers
Reset to default 7Do not do this in JavaScript. Anyone can look at your source code and see the password. Do the password check in PHP instead. Then use $_SESSION variables to save the state while they are on your site. You may also want to use $_COOKIE variables for long term access, but just $_SESSION by itself is generally preferred in most cases for password access.
An alternate way to do it is with your web server. For example, if you are using Apache you can create a .htaccess file at the root of your website to ask for a name and password. That way you don't even need to code anything.
To do the second option, create a file called .htaccess in the root of your web directory. In the file put this in:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /opt/passwords/.htpasswd
Require valid-user
(where /opt/passwords is a directory location outside of your web directory. It can be anywhere you want, you just want to make sure it is not anywhere within your web directory (otherwise it will be available for public viewing)).
In that directory, create a file called .htpasswd. This file will simply take a username and encrypted password. This page will allow you to create your name with password encryption: http://www.htaccesstools./htpasswd-generator/ . Just paste that into your .htpasswd file.
With that said, any password you use can be intercepted if you are only using http and not https, but setting up https is a bit difficult if you haven't done it before.
This is not safe. User can have disabled JS.
One of correct ways is to use http auth.
first of all are you putting the plain password in java script itself??? never do that and also
if($page == 'index')
always constructs to true so the logic wont work use cookies or session