PHP站点管理认证页面
I have created a management page for my php site. I have a management page that I created that I would like to secure (allow only me to access).
What is the easiest way to secure this page without creating a full fledged login system? This feels like overkill, and I am afraid of creating security vulnerabilities. I have no other needs for a login system for the rest of the site.
Any recommendations or ideas from other people that have done stuff like this?
I find the easiest way creating a secure area for a single user with "Htaccess".
Example:
http://webdesign.about.com/od/htaccess/ht/hthtaccess.htm
But this is not PHP or Mysql - but Apache.
<?php
$realm = 'Restricted area';
//user => password
$users = array('Username123123' => 'Password1112313', 'Guest' => 'guest');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('<h1>HTTP/1.1 401 Unauthorized</h1>');
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
!isset($users[$data['username']]))
die('<h1>Wrong Credentials!</h1>');
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response)
die('<h1>Wrong Credentials!!</h1>');
echo 'Your are logged in as: ' . $data['username'] . '<hr />';
// function to parse the http auth header
function http_digest_parse($txt)
{
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
?>
create a cookie(use only once setcookie ("admin", "i'm admin", time() + $temps); or create it manually ) and use the following code in every webpage:
if (isset($_COOKIE['admin'])) {
//Do something
}
else { die(); }
As you ask for the easiest way,
You could just use your IP for comparing:
$myIP="your-ip-here";
if($_SERVER['REMOTE_ADDR']!=$myIP){exit();}
And maybe you could also do a little get param comparing too:
$myIP="your-ip-here";
$myGetParamPass="password";
if($_SERVER['REMOTE_ADDR']!=$myIP || $_GET['pass']!==$myGetParamPass){exit();}
And then access the page with YOUR IP address and with this link:
www.site.com/page.php?pass=password
But the method above will be no good if you're on a dynamic IP, which changes frequently.
The simplest method is the:
<?
session_start();
$user = 'YOUR_USERNAME';
$password = 'YOUR_PASSWORD';
if($_POST['user'] == $user && $_POST['password'] == $password){
$_SESSION['logged'] = true;
}else{
$_SESSION['logged'] = false;
}
if($_SESSION['logged']){
echo "Logged in"
}else{
echo "Acces denied";
}
?>
The simpliest way I can imagine is
<?php
session_start();
if(isset($_POST['send'])){
if($_POST['pw'] == "somepassword"){
$_SESSION['LOGIN'] = true;
}
}
if(isset($_SESSION['LOGIN'])){
//your page
}else{ ?>
<form method="post" action=""> <p>Password:</p>
<input name="pw" type="password" />
<input name="send" value="send" type="submit" />
</form>
<?php
}
?>