Proper PHP Password Protection

Question

I'm looking for the proper process of doing password protection on one single PHP page. Prefferable with all of the code existing within that same page/file.

I have seen a few example here on Stack Overflow but they always have the instruction of pasting all of the code to the top of the page. And what does is adds a password input box to the top of the page, while loading absolutely everything you might have wanted to protect below that anyway because there is nothing present in the code or the instructions to clearly indicate how to make it so information is actually hidden before the password is entered.

Here is an example of what commonly occurs on stack overflow when a question is answered:

The user is told to paste this at the top of their php document:

if (isset($_COOKIE['PrivatePageLogin'])) {
   if ($_COOKIE['PrivatePageLogin'] == md5($password.$nonsense)) {
?>

    <!-- LOGGED IN CONTENT HERE -->

<?php
      exit;
   } else {
      echo "Bad Cookie.";
      exit;
   }
}

if (isset($_GET['p']) && $_GET['p'] == "login") {
   if ($_POST['user'] != $username) {
      echo "Sorry, that username does not match.";
      exit;
   } else if ($_POST['keypass'] != $password) {
      echo "Sorry, that password does not match.";
      exit;
   } else if ($_POST['user'] == $username && $_POST['keypass'] == $password) {
      setcookie('PrivatePageLogin', md5($_POST['keypass'].$nonsense));
      header("Location: $_SERVER[PHP_SELF]");
   } else {
      echo "Sorry, you could not be logged in at this time.";
   }
}
?>

They are then told to paste this directly below:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post">
<label><input type="text" name="user" id="user" /> Name</label><br />
<label><input type="password" name="keypass" id="keypass" /> Password</label><br />
<input type="submit" id="submit" value="Login" />
</form>

In this scenario nothing will be protected whatsoever. The page will load all content immediately but there will be a username and password field on the top of the page. It will technically function while protecting nothing.

In order to have this work properly, do you put the entire page contents within the form tags? What do you do?

This may seem an odd question to ask but for the entire existence of this website people have been answering questions like that. The code always works but the instructions for it's basic use are often incomplete or incorrect.

And to preemptively answer a few questions: htaccess is a waste of time and effort, you spend more time trying to figure out what it's giving an internal server error than you do just protecting a file or folder.

The information doesn't need to be protected by skynet level AI so php is fine.

Answer 1

This question cannot be answered in a reasonable short answer, a complete login system has some complexity (database, hashing, security, ...). Nevertheless i would like to give some starters:

• To store passwords never use MD5, instead PHP offers the password_hash() and the password_verify() functions.
• Passwords should not be stored in cookies, it is common practise to remember the login state in a session. A random token will maintain the session.
• Each page with restricted access has to check this state, and redirect to the login page if necessary.
• A safe site requires HTTP/SSL, otherwise you can not protect from a ManInTheMiddle attack.

There are plenty of tutorials out there (good ones and unsecure ones), do some research and look out for the points mentioned above.