What is the best way to password protect folder/page using php without a db or username

Question

What is the best way to password protect folder using php without a database or user name but using. Basically I have a page that will list contacts for organization and need to password protect that folder without having account for every user . Just one password that gets changes every so often and distributed to the group. I understand that it is not very secure but never the less I would like to know how to do this. In the best way.

It would be nice if the password is remembered for a while once user entered it correctly.

---

I am doing approximately what David Heggie suggested, except without cookies. It does seem insecure as hell, but it is probably better having a bad password protection then none at all.

This is for internal site where people would have hell of a time remembering their login and password and would never go through sign up process... unless it is really easy they would not use the system at all.

I wanted to see other solutions to this problem.

With user base consisting of not very tech savvy people what are other ways to do this.

Answer 1

You could use something like this:

//access.php

<?php
//put sha1() encrypted password here - example is 'hello'
$password = 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d';

session_start();
if (!isset($_SESSION['loggedIn'])) {
    $_SESSION['loggedIn'] = false;
}

if (isset($_POST['password'])) {
    if (sha1($_POST['password']) == $password) {
        $_SESSION['loggedIn'] = true;
    } else {
        die ('Incorrect password');
    }
} 

if (!$_SESSION['loggedIn']): ?>

<html><head><title>Login</title></head>
  <body>
    <p>You need to login</p>
    <form method="post">
      Password: <input type="password" name="password"> <br />
      <input type="submit" name="submit" value="Login">
    </form>
  </body>
</html>

<?php
exit();
endif;
?>

Then on each file you want to protect, put at the top:

<?php
require('access.php');
?>
secret text

It isn't a very nice solution, but it might do what you want

Edit

You could add a logout.php page like:

<?php
    session_start();
    $_SESSION['loggedIn'] = false;
?>
You have logged out   

Answer 2

Assuming you're on Apache:

http://httpd.apache.org/docs/1.3/howto/htaccess.html#auth

Answer 3

If you want to avoid cookies, sessions and don't want to play with .htaccess files, you can also do http authentication soley with PHP:

http://www.php.net/manual/en/features.http-auth.php

You can hard code the password into the file and change it as needed, or include it from a file not in your web_accessible directory.

The downside is you don't have the ability to format the "login" screen - it will be a standard http authentication dialog box

Answer 4

I doubt if this would count as the best wasy of doing it, but it would work. And since security doesn't seem to be a big issue for you, the fact that this way's as insecure as hell probably won't bother you either.

Have a login.php page that takes a password and then sets a cookie if the login details are correct. Each php file can then check for the existence of the cookie to determine whether or not the user is "logged in" or not, and display information accordingly.

login.php
...
if(isset($_POST['password']) && $_POST['password'] == 'my_top_secret_word') {
    setcookie('loggedin', 'true', time() + 1200, '/url/');
} else {
    setcookie('loggedin', 'false', time() - 1200, '/url/');
    // display a login form here
}
etc

each "protected" page would then check for this cookie:

if(isset($_COOKIE['loggedin'])) {
    if($_COOKIE['loggedin'] == 'true') {
        $showHidden = true;
    } else {
        $showHidden = false;
    }
} else {
    $showHidden = false;
}

I'm sure you get the (highly insecure) idea ...

Answer 5

Well since you know it's insecure to begin with, you could store a password in a text file somewhere on your web server. When someone accesses the page you could show a form that asks for a password. If the password matches what is in the text file, then you reload the page and display the information. Using the text file will allow you to change the password without having to modify the page they are accessing when you want to change it. You're still going to be sending plaintext everywhere unless you're using SSL. Let me know if you need some code.