How do you password protect a blogger post?

Question

I've seen this question a number of times - just not here in SO. The answers to this point have all said to use use credentials in javascript (and we all know clientside credentials is no way to do authentication :)

The scenario is that I want to control a certain page on my blog - until such time as I let it loose to everyone. I have my own domain, so I can host php scripts. I've already tried Blogger's reader filter - it's great, but for viewers without a gmail account, it's a real pain in the

Answer 1

Here's my solution (using Javascript - but without user+password verification on the client). It's a hack - but I've got other fish to catch and miles to go before I eat.

 The initial page call is this:
    http://YOUR.DOMAIN.COM/manager.php?p=login
 That prompts for the username and password 
        - ala this: http://www.php.net/manual/en/features.http-auth.php
 After login some encryption is done on an authentication cookie 
        - ala this: http://php.net/manual/en/function.mcrypt-decrypt.php
        -  or this: http://php.net/manual/en/function.openssl-decrypt.php
 The cookie is set
        - ala this: http://www.php.net/manual/en/function.setcookie.php
 And then the php file calls this present page via the following 
        - header('Location: http://YOUR2.DOMAIN.COM/p/page.html');
 * YOUR2.DOMAIN.COM points to blogger; the page is this file here which will grab the file data and insert it into a div on the page
        - see info here: http://support.google.com/blogger/bin/static.py?hl=en&ts=1233381&page=ts.cs
 Based on the param and confirming that the cookie is valid, manager.php gets the real file data and sends it out
        - ala this: http://php.net/manual/en/function.file-get-contents.php

Just drop the following into a blank Blogger page - taking care to replace the instances of YOUR.DOMAIN.COM

<script type="text/javascript" src="http://YOUR.DOMAIN.COM/scripts/jquery-1.8.3.min.js"></script>
<script type='text/javascript'>
 var $pageUrl = "http://YOUR.DOMAIN.COM/manager.php?p=page1"; // so cool how you could setup your own domain!

 function doInitStuff()
 {
    if ($alreadyInited) return; 
    $alreadyInited = true;
    // a little hack - because though I said share cookies among (*) ".DOMAIN.COM" it wasn't getting sent
    // although it's obviously there since we get it here on YOUR2.DOMAIN.COM (originally set on YOUR.DOMAIN.COM)
    $cookies = document.cookie; 

    $result = $.ajax
    ({
        type: "GET",
        url: $pageUrl,
        dataType: 'json', // or whatever
        async: false, // force this to complete before moving on (should be quick though - since already logged in)
        //   username: 'username', // would get these from a prompt/html form - but should have already gone directly to the site to authenticate
        //   password: 'password', // did it that way, because wasn't able to get the u/p to be properly sent... this new way is better anyway
        data: $cookies, // send along the cookies - they should show up in $_GET
        success: function (result, status, jqXHR){
            // good - but for some reason wasn't getting result - just move on...
        },
        error: function (){
            // not good
        }
    });

    if ($result.status == 200)
    {
        // insert our data into our nice Div
        $('#realpageinfo').html($result.responseText);
    }

    // grrrrrr. ie strikes again! use iframes instead
    var isMSIE = eval("/*@cc_on!@*/!1");
    if ($('#realpageinfo').html() == '' || isMSIE)
    {
        //$('#realpageinfo').replaceWith("<div id='realpageinfo' style='font-weight:bold;color:red'>Internet Explorer? Sorry, but please use a different Browser.</div>");
        $('#realpageinfo').replaceWith("<div id='realpageinfo'><iframe id='realpageframe' style='width:100%;height:700px' src='" + $pageUrl + "'></iframe></div>");
    }
 }

 // Don't mind this - multiple ways to ensure the main worker function is called
 var $alreadyInited = false;
 $(document).ready(function() { doInitStuff(); });
 window.addEventListener('DOMContentLoaded',function() { doInitStuff(); });

</script>

<div id='realpageinfo'></div>

Now for the server side

<?php
    $cookieName = 'my_auth_cookie';
    $loggedInCookieVal = $_COOKIE[$cookieName];

    if (!isset($loggedInCookieVal))
    {
            $loggedInCookieVal = $_GET[$cookieName]; // was it passed in instead of coming through the Cookie channel?
    }

    // if $loggedInCookieVal is set, decrypt it and pull username + pwd from it - if succeeds, set $cookieValsDecrypted
    // otherwise see if the user just sent them back in response to a challenge

    // these are empty before login - and set in response to the challenge
    $curUser = $_SERVER['PHP_AUTH_USER'];
    $curPswd = $_SERVER['PHP_AUTH_PW'];

    if (!$cookieValsDecrypted && (!isset($curUser) || !isset($curPswd)))
    {
        // ask the user to authenticate (again if have to)

        header('WWW-Authenticate: Basic realm="YOUR.DOMAIN.COM"');
        header('HTTP/1.0 401 Unauthorized');

        echo "You gotta login bud - but you canceled instead";

        exit;

    } else {

        // check $curUser and $curPswd against a db or .htpasswd file, etc - or check $cookieValsDecrypted

        // if all good then send the file
        if ($matched)
        {
            switch($_GET['p'])
            {
                case 'login': // just came here to login - now done, go on to the real page that pulls the value
                    header('Location: http://YOUR2.DOMAIN.COM/p/page.html');
                break;

                case 'page1':
                    echo file_get_contents ('./page1.txt'); // show the date
                break;
            }
        } else {
            // else send the auth request again
            header('WWW-Authenticate: Basic realm="YOUR.DOMAIN.COM"');
            header('HTTP/1.0 401 Unauthorized');

            echo "Try something else, maybe";
        }
    }
?>

That's it... feel free to improve. See it in action here ClyntonCaines.Com