I have created a management page for my php site. I have a management page that I created that I would like to secure (allow only me to access).
What is the easiest way to secure this page without creating a full fledged login system? This feels like overkill, and I am afraid of creating security vulnerabilities. I have no other needs for a login system for the rest of the site.
Any recommendations or ideas from other people that have done stuff like this?
As you ask for the easiest way,
You could just use your IP for comparing:
$myIP="your-ip-here";
if($_SERVER['REMOTE_ADDR']!=$myIP){exit();}
And maybe you could also do a little get param comparing too:
$myIP="your-ip-here";
$myGetParamPass="password";
if($_SERVER['REMOTE_ADDR']!=$myIP || $_GET['pass']!==$myGetParamPass){exit();}
And then access the page with YOUR IP address and with this link:
www.site.com/page.php?pass=password
But the method above will be no good if you're on a dynamic IP, which changes frequently.
I find the easiest way creating a secure area for a single user with "Htaccess".
Example:
http://webdesign.about.com/od/htaccess/ht/hthtaccess.htm
But this is not PHP or Mysql - but Apache.
The simpliest way I can imagine is
<?php
session_start();
if(isset($_POST['send'])){
if($_POST['pw'] == "somepassword"){
$_SESSION['LOGIN'] = true;
}
}
if(isset($_SESSION['LOGIN'])){
//your page
}else{ ?>
<form method="post" action=""> <p>Password:</p>
<input name="pw" type="password" />
<input name="send" value="send" type="submit" />
</form>
<?php
}
?>
create a cookie(use only once setcookie ("admin", "i'm admin", time() + $temps); or create it manually ) and use the following code in every webpage:
if (isset($_COOKIE['admin'])) {
//Do something
}
else { die(); }
The simplest method is the:
<?
session_start();
$user = 'YOUR_USERNAME';
$password = 'YOUR_PASSWORD';
if($_POST['user'] == $user && $_POST['password'] == $password){
$_SESSION['logged'] = true;
}else{
$_SESSION['logged'] = false;
}
if($_SESSION['logged']){
echo "Logged in"
}else{
echo "Acces denied";
}
?>
<?php
$realm = 'Restricted area';
//user => password
$users = array('Username123123' => 'Password1112313', 'Guest' => 'guest');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('<h1>HTTP/1.1 401 Unauthorized</h1>');
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
!isset($users[$data['username']]))
die('<h1>Wrong Credentials!</h1>');
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response)
die('<h1>Wrong Credentials!!</h1>');
echo 'Your are logged in as: ' . $data['username'] . '<hr />';
// function to parse the http auth header
function http_digest_parse($txt)
{
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
?>