在没有数据库或用户名的情况下使用 php 密码保护文件夹/页面的最佳方法是什么
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/286938/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the best way to password protect folder/page using php without a db or username
提问by Boris Smirnov
What is the best way to password protect folder using php without a database or user name but using. Basically I have a page that will list contacts for organization and need to password protect that folder without having account for every user . Just one password that gets changes every so often and distributed to the group. I understand that it is not very secure but never the less I would like to know how to do this. In the best way.
在没有数据库或用户名但使用 php 的情况下,使用 php 密码保护文件夹的最佳方法是什么?基本上,我有一个页面将列出组织的联系人,并且需要密码保护该文件夹,而无需为每个用户设置帐户。只是一个密码,经常更改并分发给组。我知道它不是很安全,但我更想知道如何做到这一点。以最好的方式。
It would be nice if the password is remembered for a while once user entered it correctly.
如果用户正确输入密码后能记住一段时间,那就太好了。
I am doing approximately what David Heggie suggested, except without cookies. It does seem insecure as hell, but it is probably better having a bad password protection then none at all.
我正在按照 David Heggie 的建议做,除了没有饼干。它看起来确实不安全,但最好有一个糟糕的密码保护,而不是根本没有。
This is for internal site where people would have hell of a time remembering their login and password and would never go through sign upprocess... unless it is really easy they would not use the system at all.
这是针对内部站点的,在那里人们会花大量时间记住他们的登录名和密码,并且永远不会经历注册过程……除非真的很容易,否则他们根本不会使用该系统。
I wanted to see other solutions to this problem.
我想看看这个问题的其他解决方案。
With user base consisting of not very tech savvy people what are other ways to do this.
用户群由不太懂技术的人组成,还有什么其他方法可以做到这一点。
回答by Tom Haigh
You could use something like this:
你可以使用这样的东西:
//access.php
<?php
//put sha1() encrypted password here - example is 'hello'
$password = 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d';
session_start();
if (!isset($_SESSION['loggedIn'])) {
$_SESSION['loggedIn'] = false;
}
if (isset($_POST['password'])) {
if (sha1($_POST['password']) == $password) {
$_SESSION['loggedIn'] = true;
} else {
die ('Incorrect password');
}
}
if (!$_SESSION['loggedIn']): ?>
<html><head><title>Login</title></head>
<body>
<p>You need to login</p>
<form method="post">
Password: <input type="password" name="password"> <br />
<input type="submit" name="submit" value="Login">
</form>
</body>
</html>
<?php
exit();
endif;
?>
Then on each file you want to protect, put at the top:
然后在您要保护的每个文件上,放在顶部:
<?php
require('access.php');
?>
secret text
It isn't a very nice solution, but it might do what you want
这不是一个很好的解决方案,但它可能会做你想做的
Edit
编辑
You could add a logout.php page like:
您可以添加一个 logout.php 页面,例如:
<?php
session_start();
$_SESSION['loggedIn'] = false;
?>
You have logged out
回答by Rob Stevenson-Leggett
回答by Law
If you want to avoid cookies, sessions and don't want to play with .htaccess files, you can also do http authentication soley with PHP:
如果您想避免使用 cookie、会话并且不想使用 .htaccess 文件,您还可以使用 PHP 单独进行 http 身份验证:
http://www.php.net/manual/en/features.http-auth.php
http://www.php.net/manual/en/features.http-auth.php
You can hard code the password into the file and change it as needed, or include it from a file not in your web_accessible directory.
您可以将密码硬编码到文件中并根据需要进行更改,或者将其包含在不在 web_accessible 目录中的文件中。
The downside is you don't have the ability to format the "login" screen - it will be a standard http authentication dialog box
缺点是您无法格式化“登录”屏幕 - 这将是一个标准的 http 身份验证对话框
回答by David Heggie
I doubt if this would count as the bestwasy of doing it, but it would work. And since security doesn't seem to be a big issue for you, the fact that this way's as insecure as hell probably won't bother you either.
我怀疑这是否算是最好的做法,但它会起作用。而且由于安全性对您来说似乎不是一个大问题,因此这种方式非常不安全的事实可能也不会打扰您。
Have a login.php page that takes a password and then sets a cookie if the login details are correct. Each php file can then check for the existence of the cookie to determine whether or not the user is "logged in" or not, and display information accordingly.
有一个 login.php 页面,它需要一个密码,然后在登录详细信息正确时设置一个 cookie。然后每个 php 文件可以检查 cookie 的存在,以确定用户是否“登录”,并相应地显示信息。
login.php
...
if(isset($_POST['password']) && $_POST['password'] == 'my_top_secret_word') {
setcookie('loggedin', 'true', time() + 1200, '/url/');
} else {
setcookie('loggedin', 'false', time() - 1200, '/url/');
// display a login form here
}
etc
each "protected" page would then check for this cookie:
然后每个“受保护”页面将检查此 cookie:
if(isset($_COOKIE['loggedin'])) {
if($_COOKIE['loggedin'] == 'true') {
$showHidden = true;
} else {
$showHidden = false;
}
} else {
$showHidden = false;
}
I'm sure you get the (highly insecure) idea ...
我相信你明白(非常不安全的)想法......
回答by Ryan Rodemoyer
Well since you knowit's insecure to begin with, you could store a password in a text file somewhere on your web server. When someone accesses the page you could show a form that asks for a password. If the password matches what is in the text file, then you reload the page and display the information. Using the text file will allow you to change the password without having to modify the page they are accessing when you want to change it. You're still going to be sending plaintext everywhere unless you're using SSL. Let me know if you need some code.
好吧,既然您知道一开始就不安全,您可以将密码存储在 Web 服务器上某处的文本文件中。当有人访问该页面时,您可以显示一个要求输入密码的表单。如果密码与文本文件中的密码匹配,则您重新加载页面并显示信息。使用文本文件将允许您更改密码,而无需在您想要更改密码时修改他们正在访问的页面。除非您使用 SSL,否则您仍然会到处发送纯文本。如果您需要一些代码,请告诉我。
