HomePassword Protect - Validation
copy and save as validate.php
<?
header("Pragma: ");
header("Cache-Control: ");
header("Expires: Mon, 26 Jul 1980 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
//set global variables
global $username,$password;
// EDIT HERE TO SUIT YOUR NEEDS
//set usernames and passwords
//only letters and numbers (no spaces) Known as can contain spaces
$uname[1] = "demo";
$upass[1] = "demo";
$known_as[1] = "demo user";
//additional users can be added
//$uname[2] = "demo";
//$upass[2] = "demo";
//$known_as[2] = "demo";
//the login page
$login_page = "index.php";
//where to go after login
$success_page = "1.php";
//the path to validate.php
$validate_path = "path to validate.php";
//login failed error message
$login_err = '<div align="center">Your User Name or Password was incorrect</b></div>';
//no fields filled in
$empty_err = '<div align="center"><b>You need to login with your User Name and Password</b></div>';
//something entered that wasn't a letter or number error message
$chr_err = '<div align="center"><b>Please retry</b></div>';
// DO NOT EDIT BELOW HERE
//if the form is empty and the cookie isn't set
//then display error message the return to login
if($username == "" && $password == "" && !isset($_COOKIE["this_cookie"])){
print($empty_err);
include($login_page);
exit();
}
//if the form is not empty and the cookie isn't set
//then make sure that only letters and numbers are entered
//if there are then display error message the return to login
if($username != "" || $password != "" && !isset($_COOKIE["this_cookie"])){
if (preg_match ("/[^a-zA-Z0-9]/", $username.$password)){
print($chr_err);
include($login_page);
exit();
}
}
//if the cookie isn't set
if (!isset($_COOKIE["this_cookie"]) ){
$user_count = count($uname);
$user_exists = false;
// check through all the users to see if they exist
for ($i = 1; $i <= $user_count; $i++) {
if ($uname[$i] == $username && $upass[$i] == $password){
$user_id=$i;
//$welcome_name = $known_as[$i];
$user_exists = true;
}
}
if(!$user_exists){
print ($login_err);
include($login_page);
exit();
}
//if the login is correct then set the cookie
$cookie_val=crypt($uname[$user_id]);
//set the cookie so it dies when the browser is closed
setcookie ("name", $known_as[$user_id], 0);
setcookie ("this_cookie", $cookie_val, 0);
header("Location: $success_page");
exit();
}
//if a user tries to access validate.php directly and they are logged in
if($REQUEST_URI == $validate_path){
echo "<html>\n<head>\n";
echo "<title>Yor are logged in</title>\n";
echo "</head>\n";
echo "<body bgcolor=\"white\">\n";
echo "You are logged in. <a href=\"".$success_page."\">Continue</a>\n";
echo "</body>\n";
echo "</html>\n";
}
?>
As I mentioned before, some things are outwith your control. In this case I have no control over the server (where this site is hosted) so page caching is a problem - for some reason no matter what code I use, the no-cache headers are ignored which basically means a copy of the protected page remains in the browser cache and can be viewed offline. However, as long as you log out, no one can log into the live site from the cached pages.
That said, I have tested the script thoroughly on 2 other servers and the caching problem is not an issue. So if your server allows no-cache headers you have nothing to worry about. It is not a serious problem, just an annoying one that I though I should mention.
Apart from that, the script has plenty of comments so you can follow whats going on.
Next we'll look at a protected page.
overview
the theory
the login
validation
a protected page
the logout
]
[
]