Password Protected Pages

From FundaWiki

Jump to: navigation, search

This is a hack to achieve password protection of one or more frontend pages.

An example

Look at the following page structure:

(Can I upload an image to this wiki? Well until then you will have to settle with this illustration which is intended to reflect the page overview shown in the fundanemt window:) 

- Frontpage (1)
- Another public page (2)
- Private (3)
- - Private page (11)
- - Another private page (16)
- - Log out (13)
- Members (4)
- - Log out (14)
- Log in (5) [Hidden page]

( numbers in parenthesis are page ID's ).

The idea is to protect the page "Private" and its subpages with a password. And also to protect the page "Members", but with another password.

If a user is not logged in, he will not be able even to unfold the menu and see the subpages of "Private".

When he is logged in the subtree unfolds. The unfolded menu includes a page title "Log out", that of course lets the user log out again.

What you should do

Follow these steps:

1) Create a pagestructure similar to the one above.

2) The pages "Log out" are empty pages!

3) The page "Log in" is a hidden page with the following php-element: 

<?php

if ( $_GET['retry'] ) echo "<font color='red'>Wrong password</font>";
echo "<h2>".$_GET['zone']." zone requires password.</h2><br><br>";
echo "<form name='Login' method='post' ".
     "action='index.php?ID=".$_GET['accessID']."'>";
echo "Password: ";
echo "<input type='password' name='password' size='20'>";
echo "<input type='Submit' value='Login'>";
echo "</form>";

?>

4)

In the top of your index.php frontend template add the following (I myself prefer to keep this code in a seperate file and then include this file in index.php ): 

<?php

  session_start();
  header("Cache-control: private");

// EDIT THE LINES BELOW TO FIT YOUR SITE

// Private zone
$a_zonename = "Private"; // This name will be displayed on the login page
$a_zone = array(3,11,16);// enter protected page id's, fx: array(3,6,7)
$a_login_id = 5;         // page id for hidden page with login form.
$a_logout_id = 13;       // page id for logout of zone
$a_goto_on_logout = 3;   // page id for where to go when you logout
$a_passw = "privatepw";  // password for this zone

// Members zone
$b_zonename = "Members"; // This name will be displayed on the login page
$b_zone = array(4);      // enter protected page id's, fx: array(3,6,7)
$b_login_id = 5;         // page id for hidden page with login form.
$b_logout_id = 14;       // page id for empty page with title "log out"
$b_goto_on_logout = 4;   // page id for where to go when you logout
$b_passw = "memberpw";   // password for this zone

// EDIT THE LINES ABOVE TO FIT YOUR SITE

$id=$_GET['ID'];

// check if page id is protected:
if (in_array($id, $a_zone )){
  if ( $_SESSION[$a_zonename] != "yes" ){
    $password=$HTTP_POST_VARS["password"];
    if ($password == $a_passw ){
      $_SESSION[$a_zonename] = "yes";
    }
    else if ($password != '') $retry='retry';
  }
  if ($_SESSION[$a_zonename] != "yes") {
    // goto login page
    session_write_close();
    header("Location: index.php?ID=$a_login_id&accessID=$id&zone=$a_zonename&retry=$retry");
  }
} 
else if (in_array($id, $b_zone )){
  if ( $_SESSION[$b_zonename] != "yes" ){
    $password=$HTTP_POST_VARS["password"];
    if ($password == $b_passw ){
      $_SESSION[$b_zonename] = "yes";
    }
    else if ($password != '') $retry='retry';
  }
  if ($_SESSION[$b_zonename] != "yes") {
    // goto login page
    session_write_close();
    header("Location: index.php?ID=$b_login_id&accessID=$id&zone=$b_zonename&retry=$retry");
  }
}
// check if we should log out from a protected zone
else if ( $id == $a_logout_id ){
  $_SESSION[$a_zonename] = "no";
  session_write_close();
  header("Location: index.php?ID=$a_goto_on_logout");
}
else if ( $id == $b_logout_id ){
  $_SESSION[$b_zonename] = "no";
  session_write_close();
  header("Location: index.php?ID=$b_goto_on_logout");
}
?>

Now carefully edit the lines in the top of this last code, so the page ID's correspond to your actual pagestructure. The comments should explain clearly which ID's goes where. Also choose your own passwords and names for the zones a and b.

Limitations

1) There is no support for individual passwords for each user.

2) You need to edit this php code every time a new page is added to the subtree. It should be possible to have all pages in the subtree protected automatically by defining a zone-rootpage and then use the fact that fundanemt will know the parent of all subpages. Maybe someone who knows the fundanemt API could show the way.

3) The idea works best if you keep each protected zone in the same subtree, with the root page of the subtree as one of the protected pages.

4) Any cross-site functionality like "search" and "sitemap" does not know about the protected pages, which means they will still show links to these pages. Still, if you you follow the links, you will not be able to see the pages except when logged in.

5) There is no encryption of passwords.

Any comments are thankfully received. It would be fun to know if anyone uses this.

/Kristian Nørgaard, October 2005

Retrieved from "http://fundausers.org/wiki/Password_Protected_Pages"
Personal tools