PHP Script for Password Protecting Web Pages

This simple PHP script allows you to provide password protection for part of a web site, for those who do not have access to their web server's implementation of the HTTP basic authentication scheme. It works in conjunction with a JavaScript function which is called in the header of each protected web page.

The functionality protects against a casual attempt to access protected pages, but because it requires JavaScript to be enabled in the user's browser, it shouldn't be considered for anything where security is a critical issue, although the user would need to know the specific URI of the protected page in order to access it, as it would not be referenced directly by any page.

This password mechanism will be effective providing that:

  1. There are no direct links to protected pages.
  2. Protected pages are excluded from search engines.
  3. JavaScript is enabled in the user's browser.

It assumes that access to the protected part of the web site is through an entry page, with a form containing a password prompt:

Try it: (passwords are xyzzy, abcdef, 123456): Enter password:

The normal route through the PHP script when called as above simply checks the given password against one contained within a list, and displays either the required entry web page of the protected part of the site, or reports that an invalid password has been given. The script allows for multiple passwords / entry web page combinations.

The script also sets up a cookie, which may be interrogated by the supplied JavaScript function inserted in the header of each page of the protected part of the site. This optional facility is intended to prevent the page from being accessed directly. If a valid password has been previously provided, the page is displayed as normal, otherwise an invalid password error is reported.

The basic form is coded as follows (without the styling):

<form id="myform" action="passwords.php" method="post">
Enter password: 
<input type="password", name="password", maxlength="12" />
<input type="submit",  name="submit" value="submit" />
</form>

The password field must be called password, and the action attribute must contain the URL for the password.cgi script. If the password is valid the CGI script invokes one web page; if it is invalid it invokes a second.

The PHP script includes the following lines which determine valid password / URL combinations, which should be adjusted to meet your own requirements.

# Set up the password strings and associated URLs. Note that the elements of all
# but the last of this hash list are separated by commas.
$urlList = array ('xyzzy'  => 'valid.html',
                  'abcdef' => 'valid.html',
                  '123456' => 'valid.html'
                 );

# Set up the invalid URL      
my $invalidurl = "invalid.html";

The JavaScript code which should be incorporated in the header of each of the protected pages, has the following line, which should be modified to reflect your own requirements:

var invalidurl = "invalid.html";

The download contains a sample passwords interface page complete with the required PHP code, a CSS file, sample valid and invalid web pages, and the JavaScript file. Install these in your main web directory, and then invoke the passwordstest.php web page.

Download compressed software (4.63 KB)