PHP Page password protection

Question

I had created a simple password protection page for a PHP webpage by searching online. below is the code.

protect.php:

<?php
   namespace Protect;
   function with($form, $password, $scope=null) {
      if( !$scope ) $scope = current_url();
         $session_key = 'password_protect_'.preg_replace('/\W+/', '_', $scope);
         session_start();

      if( $_POST['password'] == $password ) {
         $_SESSION[$session_key] = true;
         redirect(current_url());
      }

      if( $_SESSION[$session_key] ) return;
         require $form;
         exit;
   }

   function current_url($script_only=false) {
      $protocol = 'http';
      $port = ':'.$_SERVER["SERVER_PORT"];
      if($_SERVER["HTTPS"] === 'on') $protocol .= 's';
      if($protocol === 'http' && $port === ':80') $port = '';
      if($protocol === 'https' && $port === ':443') $port = '';
      $path = $script_only ? $_SERVER['SCRIPT_NAME'] : $_SERVER['REQUEST_URI'];
      return $protocol."://".$_SERVER[SERVER_NAME].$port.$path;
    }
    function redirect($url) {
       header("Location: ".$url);
       exit;
    }

Form.php:

<html>
   <body>
      <form method="POST">
         <?php
         if( $_SERVER['REQUEST_METHOD'] === 'POST' ) { 
            ?>
            Invalid password
         <?php 
         }
         ?>
         <p>Enter password for access:</p>
         <input type="password" name="password">
         <button type="submit">Submit</button>
      </form>
   </body>
</html>

At the top of the php webpage which is to be protected with security password:

<?php 
    require_once('protect.php');
    Protect\with('form.php', 'demo');  // demo is the password
?>

It's working fine but I am getting an error as

Undefined index: password in C:\\xampp\\htdocs\\iv\\admin\\protect.php on line 9 and session start() is already defined.

(On top of the php page which is to be protected).

When I tried to make any changes its completely not working.

Anybody, please help and guide me where exactly the error.

Answer 1

You have to check first if the password has been submitted in your with function.

// this has to be checked first
// added isset to check if its existing

if( isset($_SESSION[$session_key]) && $_SESSION[$session_key] ) return;
    ^-------------------------------^

if( isset($_POST['password']) && $_POST['password'] == $password ) {
    ^--------------------------^
    ...
}

Answer 2

As noted by @Martin in several comments, your two issues can be easily solved by reading the linked questions/answers.

The first issue, which is the session already started error, can be easily solved by bringing out the session_start() from your function altogether and put it only once in the very top level php file.

The second issue is resolved by using empty() or isset() .

function with($form, $password, $scope=null)
{
    if(empty($scope))
        $scope = current_url();

    $session_key = 'password_protect_'.preg_replace('/\W+/', '_', $scope);

    if(isset($_POST['password']) && ($_POST['password'] == $password)) {
       $_SESSION[$session_key] = true;
       redirect(current_url());
    }

    if(!empty($_SESSION[$session_key]))
        return false;

    require($form);
    exit;
}

To set session:

<?php
# Just add by default, don't use an "if" clause
session_start();
# Do the rest of your script
require_once('protect.php');
Protect\with('form.php', 'demo');

One final note; make sure your indenting correlates to hierarchy otherwise the script can get hard to read.