Industry guru Dave Taylor answers free tech support questions about a wide variety of business and technical topics, including blogging, Google AdSense, MySpace, Sony PSP, Apple iPod, Mp3 players, management, Linux, SEO, Mac OS X, Facebook, Twitter, LinkedIn and Microsoft Windows.

Password protected Web pages

A reader asks:
How do you think that i could make a login page with a password using CGI script?
There are two main ways to create a password-protected Web area...

Dave's Answer: One solution is using hooks in the web server (usually Apache) and the other is, well, with the common gateway interface...

For an Apache-based solution, your avenue is the .htaccess file that you drop into a directory you want to password protect. Most web hosting providers have instructions on how to set this up and create accounts for people to access the subdirectory. it's the preferred solution, and how I do it when I need to protect an area of a site. here's a geeky sort of page with more information on this.

If you want to do this with CGI, I'd approach it by having a small HTML page that prompts for a login and password pair, then feeds that to a CGI script that chops the QUERY_STRING into two parts, then simply compares them to a known set of account fields. If there's a match, the program outputs a specified source file (perhaps "logged-in.html"), and if the match fails, the program outputs an error message.

This should be quite easy to whip together in Perl or even as a Unix shell script.



Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Simpy.

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

One thing that a lot of people overlook that I recommend is that you can include on the HTML page containing the form a set of JavaScript functions that check the validity of the data before allowing it to be sent out. For example, on a signup form you can use some of the well-known regular expressions to make sure the email address has the correct format. (I've had AOLers on my site not realize they need to include @aol.com, and this helps fix that.) And in the signup form you can also make the user type the password twice, and use JavaScript to make sure they match. That helps reduce typos. (In general I'm not big on JavaScript, but for little things like this I think it's ideal; why make the server test that an email has the right format and the two passwords match?)

Posted by: Jeff Cogswell at June 25, 2003 12:00 PM

Also, regarding the password, if you want to add a level of security, you can use a one-way encryption (e.g. DES or MD5) and save the encrypted password in the database upon signup. Then when the user later logs in and enters a password, encrypt it first, and compare the encrypted one to the saved encrypted one. That way you don't have to save the unencrypted passwords on the site. (However, the reality is if somebody can get to the database to see the encrypted passwords, they can also probably get to the "secret pages" so I'm not totally convinced this is even necessary.)

Posted by: Jeff Cogswell at June 25, 2003 12:03 PM

Those are great observations, Jeff. Thanks. Your idea of storing the encrypted password is particularly valuable because it's exactly how Unix does it: the password for each account is stored in /etc/shadow (it used to be in /etc/passwd, but I hope that there isn't a single shipping Unix or Unix-like system that still has it there) as an encrypted string.

Even more interestingly, the encryption has a random two-letter 'salt' or rotation initializer, so that when a new password is entered and wants to be compared to the existing password, the new value must be encrypted using the existing salt as the key. It means that you can have programmers write password-protected programs without them knowing any of the passwords. A neat trick!

However, that's probably a bit far afield for a simple web page protection link, eh? :-)

Posted by: Dave Taylor at June 26, 2003 11:44 PM

Yeah, I used that kind of encryption on my site, and after all was said and done, I kinda wondered why. What was the big deal? For simple web sites, I think storing the plain-text passwords in the database is probably easiest, because if people forget their password you can email it to them. :-)

Posted by: Jeff Cogswell at June 28, 2003 4:14 PM

I'm a 12 year old kid learning html and all that web stuff. Can you brake down how to make a password protected site in a way that I can understand, please.

Thanks

Posted by: Jonathan at September 28, 2003 5:23 PM

Thanks for your posting, Jonathan! As you suggest, it's a bit more complex, but you might be surprised that it's not completely baffling. The first step: ask your web hosting provider for information on what they've set up, if anything. Secondly, search for .htaccess in any of your directories: if you have that, you probably have a password-protected directory. Also check out the quite good Apache htaccess tutorial, which you can find at: http://httpd.apache.org/docs/howto/htaccess.html

Posted by: Dave Taylor at September 29, 2003 10:41 PM

so can you guys show me the html and cgi script needed in order to get this on my webpage without having to call up my service provider and getting a directory? you can e-mail it to me. thanks

Posted by: matt at November 17, 2003 2:11 PM

hi Dave,

I have an account with clickbank.com and want purchasers of a private part of my site to get a password etc.
Clickbank.com send successful purchasers to a page on my site of my choosing.
I guess this page needs the password in it.
but
If i put this page in a secured area then clickbank asks for the password after purchase.
Catch 22 if ever there was.
How do you secure a password page that can be accessed from clickbanks return ?
(am i to put arguments on the return address to perhaps a cgi page.

Posted by: riff at July 7, 2006 10:43 AM

Hi Dave again,

Iv done alot of learning since my last post.

using php pages i can
1) receive the return from clickbank to an unsecured web page (ie home/result.php).

2) check if the purchase was successful with php validator code in result.php.

3) if purchase is good, use the php 'include' command inside result.php to display password and passname from another php page (ie home/secret/passwords.php) (the 'secret' directory being password protected)

4) if no sale, echo a "sorry mate" message to web page instead of password.

The key thing is ...
public PHP pages can display secret pages or data from private directories.

sorted :-)

just thought this might help someone

im testing php pages on my own pc with
apache web server (free)
php 5 linked to apache (free)

both have extensive help and websites

Posted by: riff at July 9, 2006 8:46 PM

hello, is there such a html code whereby when someone goes into your blog, there would be a pop up that asks the user to enter a password?
i would be very grateful if u could tell me
thx,
anonimous

Posted by: anonimous at December 18, 2006 2:48 AM

I have a lot to say, but ...
Starbucks coffee cup I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!









Remember personal info?


Please note that I will never send you any unsolicited commercial email. Ever.

While I'm at it, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site.









Search
Find just the answers you seek from among our 1700+ free tech support articles by using our Lijit search engine.


Help!





Subscribe to
Ask Dave Taylor!

Add to Google Reader
Add to My Yahoo!
Subscribe in NewsGator Online

RDF   XML

Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.


Recent Entries
Join the List!
Join my author info mailing list, where you'll learn about my upcoming books, speaking gigs, and more!


Book Links
© 2002 - 2008 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.

[whiteboard marker tray]