Password protected Web pages

One thing that a lot of people overlook that I recommend is that you can include on the HTML page containing the form a set of JavaScript functions that check the validity of the data before allowing it to be sent out. For example, on a signup form you can use some of the well-known regular expressions to make sure the email address has the correct format. (I've had AOLers on my site not realize they need to include @aol.com, and this helps fix that.) And in the signup form you can also make the user type the password twice, and use JavaScript to make sure they match. That helps reduce typos. (In general I'm not big on JavaScript, but for little things like this I think it's ideal; why make the server test that an email has the right format and the two passwords match?)

Also, regarding the password, if you want to add a level of security, you can use a one-way encryption (e.g. DES or MD5) and save the encrypted password in the database upon signup. Then when the user later logs in and enters a password, encrypt it first, and compare the encrypted one to the saved encrypted one. That way you don't have to save the unencrypted passwords on the site. (However, the reality is if somebody can get to the database to see the encrypted passwords, they can also probably get to the "secret pages" so I'm not totally convinced this is even necessary.)

Those are great observations, Jeff. Thanks. Your idea of storing the encrypted password is particularly valuable because it's exactly how Unix does it: the password for each account is stored in /etc/shadow (it used to be in /etc/passwd, but I hope that there isn't a single shipping Unix or Unix-like system that still has it there) as an encrypted string.

Even more interestingly, the encryption has a random two-letter 'salt' or rotation initializer, so that when a new password is entered and wants to be compared to the existing password, the new value must be encrypted using the existing salt as the key. It means that you can have programmers write password-protected programs without them knowing any of the passwords. A neat trick!

However, that's probably a bit far afield for a simple web page protection link, eh? :-)

Yeah, I used that kind of encryption on my site, and after all was said and done, I kinda wondered why. What was the big deal? For simple web sites, I think storing the plain-text passwords in the database is probably easiest, because if people forget their password you can email it to them. :-)

I'm a 12 year old kid learning html and all that web stuff. Can you brake down how to make a password protected site in a way that I can understand, please.

Thanks

Thanks for your posting, Jonathan! As you suggest, it's a bit more complex, but you might be surprised that it's not completely baffling. The first step: ask your web hosting provider for information on what they've set up, if anything. Secondly, search for .htaccess in any of your directories: if you have that, you probably have a password-protected directory. Also check out the quite good Apache htaccess tutorial, which you can find at: http://httpd.apache.org/docs/howto/htaccess.html

so can you guys show me the html and cgi script needed in order to get this on my webpage without having to call up my service provider and getting a directory? you can e-mail it to me. thanks

hi Dave,

I have an account with clickbank.com and want purchasers of a private part of my site to get a password etc.
Clickbank.com send successful purchasers to a page on my site of my choosing.
I guess this page needs the password in it.
but
If i put this page in a secured area then clickbank asks for the password after purchase.
Catch 22 if ever there was.
How do you secure a password page that can be accessed from clickbanks return ?
(am i to put arguments on the return address to perhaps a cgi page.

Hi Dave again,

Iv done alot of learning since my last post.

using php pages i can
1) receive the return from clickbank to an unsecured web page (ie home/result.php).

2) check if the purchase was successful with php validator code in result.php.

3) if purchase is good, use the php 'include' command inside result.php to display password and passname from another php page (ie home/secret/passwords.php) (the 'secret' directory being password protected)

4) if no sale, echo a "sorry mate" message to web page instead of password.

The key thing is ...
public PHP pages can display secret pages or data from private directories.

sorted :-)

just thought this might help someone

im testing php pages on my own pc with
apache web server (free)
php 5 linked to apache (free)

both have extensive help and websites

hello, is there such a html code whereby when someone goes into your blog, there would be a pop up that asks the user to enter a password?
i would be very grateful if u could tell me
thx,
anonimous