I've seen this question a number of times - just not here in SO. The answers to this point have all said to use use credentials in javascript (and we all know clientside credentials is no way to do authentication :)
The scenario is that I want to control a certain page on my blog - until such time as I let it loose to everyone. I have my own domain, so I can host php scripts. I've already tried Blogger's reader filter - it's great, but for viewers without a gmail account, it's a real pain in the
Here's my solution (using Javascript - but without user+password verification on the client). It's a hack - but I've got other fish to catch and miles to go before I eat.
The initial page call is this:
http://YOUR.DOMAIN.COM/manager.php?p=login
That prompts for the username and password
- ala this: http://www.php.net/manual/en/features.http-auth.php
After login some encryption is done on an authentication cookie
- ala this: http://php.net/manual/en/function.mcrypt-decrypt.php
- or this: http://php.net/manual/en/function.openssl-decrypt.php
The cookie is set
- ala this: http://www.php.net/manual/en/function.setcookie.php
And then the php file calls this present page via the following
- header('Location: http://YOUR2.DOMAIN.COM/p/page.html');
* YOUR2.DOMAIN.COM points to blogger; the page is this file here which will grab the file data and insert it into a div on the page
- see info here: http://support.google.com/blogger/bin/static.py?hl=en&ts=1233381&page=ts.cs
Based on the param and confirming that the cookie is valid, manager.php gets the real file data and sends it out
- ala this: http://php.net/manual/en/function.file-get-contents.php
Just drop the following into a blank Blogger page - taking care to replace the instances of YOUR.DOMAIN.COM
<script type="text/javascript" src="http://YOUR.DOMAIN.COM/scripts/jquery-1.8.3.min.js"></script>
<script type='text/javascript'>
var $pageUrl = "http://YOUR.DOMAIN.COM/manager.php?p=page1"; // so cool how you could setup your own domain!
function doInitStuff()
{
if ($alreadyInited) return;
$alreadyInited = true;
// a little hack - because though I said share cookies among (*) ".DOMAIN.COM" it wasn't getting sent
// although it's obviously there since we get it here on YOUR2.DOMAIN.COM (originally set on YOUR.DOMAIN.COM)
$cookies = document.cookie;
$result = $.ajax
({
type: "GET",
url: $pageUrl,
dataType: 'json', // or whatever
async: false, // force this to complete before moving on (should be quick though - since already logged in)
// username: 'username', // would get these from a prompt/html form - but should have already gone directly to the site to authenticate
// password: 'password', // did it that way, because wasn't able to get the u/p to be properly sent... this new way is better anyway
data: $cookies, // send along the cookies - they should show up in $_GET
success: function (result, status, jqXHR){
// good - but for some reason wasn't getting result - just move on...
},
error: function (){
// not good
}
});
if ($result.status == 200)
{
// insert our data into our nice Div
$('#realpageinfo').html($result.responseText);
}
// grrrrrr. ie strikes again! use iframes instead
var isMSIE = eval("/*@cc_on!@*/!1");
if ($('#realpageinfo').html() == '' || isMSIE)
{
//$('#realpageinfo').replaceWith("<div id='realpageinfo' style='font-weight:bold;color:red'>Internet Explorer? Sorry, but please use a different Browser.</div>");
$('#realpageinfo').replaceWith("<div id='realpageinfo'><iframe id='realpageframe' style='width:100%;height:700px' src='" + $pageUrl + "'></iframe></div>");
}
}
// Don't mind this - multiple ways to ensure the main worker function is called
var $alreadyInited = false;
$(document).ready(function() { doInitStuff(); });
window.addEventListener('DOMContentLoaded',function() { doInitStuff(); });
</script>
<div id='realpageinfo'></div>
Now for the server side
<?php
$cookieName = 'my_auth_cookie';
$loggedInCookieVal = $_COOKIE[$cookieName];
if (!isset($loggedInCookieVal))
{
$loggedInCookieVal = $_GET[$cookieName]; // was it passed in instead of coming through the Cookie channel?
}
// if $loggedInCookieVal is set, decrypt it and pull username + pwd from it - if succeeds, set $cookieValsDecrypted
// otherwise see if the user just sent them back in response to a challenge
// these are empty before login - and set in response to the challenge
$curUser = $_SERVER['PHP_AUTH_USER'];
$curPswd = $_SERVER['PHP_AUTH_PW'];
if (!$cookieValsDecrypted && (!isset($curUser) || !isset($curPswd)))
{
// ask the user to authenticate (again if have to)
header('WWW-Authenticate: Basic realm="YOUR.DOMAIN.COM"');
header('HTTP/1.0 401 Unauthorized');
echo "You gotta login bud - but you canceled instead";
exit;
} else {
// check $curUser and $curPswd against a db or .htpasswd file, etc - or check $cookieValsDecrypted
// if all good then send the file
if ($matched)
{
switch($_GET['p'])
{
case 'login': // just came here to login - now done, go on to the real page that pulls the value
header('Location: http://YOUR2.DOMAIN.COM/p/page.html');
break;
case 'page1':
echo file_get_contents ('./page1.txt'); // show the date
break;
}
} else {
// else send the auth request again
header('WWW-Authenticate: Basic realm="YOUR.DOMAIN.COM"');
header('HTTP/1.0 401 Unauthorized');
echo "Try something else, maybe";
}
}
?>
That's it... feel free to improve. See it in action here ClyntonCaines.Com
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.