Arquivo Eletrônico


2011, May-28

Password Protecting an iWeb Site

I’ve noticed some hits regarding password protecting an iWeb site. iWeb offers password protection only if you pay for MobileMe service, but what about the rest of us that do not have MobileMe? Well, a basic password protect scheme can be setup with the help of some PHP programming and the use of cookies.iWeb creates an HTML page for each of the pages on the site, but also generates an index.html file that simply redirects to the Homepage of your site. We are going to take advantage of that fact to ask for a password to access your site.

First we need to tell your web server to treat HTML pages as having PHP code. To do that add the following line to the .htaccess file at the root of your site.

AddHandler php5-script .html

Next, edit the index.html file and replace the html code with the following:

<?php
include_once('configuration.php');

// Display the login form the first time we visit the site
    // Show login form
    function showLoginPasswordProtect($error_msg) {
        global $username;
        setcookie("verify", '', time()-3600, '/');

/************************************************************/
/* The HTML below is displayed when the password cookies    */
/* is not set. You can modify it to your liking             */
/************************************************************/
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Password verification</title>
</head>

<body>
<div id="header">
    <div align="center">Enter your password to access this website:</div>
</div>

<div id="wrapper" align="center">
    <div id="page">
        <form method="post" name="login_form">
            <?php if ($error_msg): ?><div id="error"><?php echo $error_msg; ?></div><?php endif; ?>
            <?php
            if ($username)
            echo ('<input size="20" align="right" name="access_login" id="access_login_id" style="color:#555555;" value="username" onclick="this.value = (this.value=="username")? "" : this.value;" /> <br />');
            ?>
            <input size="20" align="right" type="password" name="access_password" style="color:#555555;" value="password" onfocus="this.value = (this.value=='password')? '' : this.value;" /> <br /><br />
            <input type="submit" name="Submit" value="Login" class="submit" />
        </form>
    </div><!--page-->
</div><!--wrapper-->
</body>
</html>
<?php
/************************************************************/
/* End of html login form                                   */
/************************************************************/

        // stop at this point
        die();
    } //end function

// Set the timeout for the cookie
    if ($logout_in == 0)
        $timeout=0;
    else
        $timeout=time()+$logout_in;

// The user has submited the form with the login credentials
if (isset($_POST['access_password'])) {
    if($username)
        $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
    else
        $login = "no_username";
    $pass = $_POST['access_password'];
    if (!array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login]['password'] != $pass ) {
        showLoginPasswordProtect("Incorrect username or password.");
    }
    else {  // we have a valid user/pass combination
        // set cookie if password was validated
        setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
        // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
        // So need to clear password protector variables
        unset($_POST['access_login']);
        unset($_POST['access_password']);
        unset($_POST['Submit']);
    }
}

// The user is already authenticated and is reloading the page.
else {
    // First check if cookie is set
    if (!isset($_COOKIE['verify'])) {
        // the cookie has been deleted, display login form
        showLoginPasswordProtect('');
    }
    // The cookie exists, check if cookie is good
    $found = false;  // initialize variable
    foreach($LOGIN_INFORMATION as $key=>$val) {
        $lp = $key .'%'.$val['password'];
        if ($_COOKIE['verify'] == md5($lp)) {
            // the user is already aunthenticated
            $found = true;
            // extend activity timeout
            setcookie("verify", md5($lp), $timeout, '/');
            break;  // break from the foreach
        }
    }
    if (!$found) {
        // The user is not authenticated, display login form
        showLoginPasswordProtect('');
    }
}
?>
Original index.html content goes here

That takes care of the login page, now to each page of the website we need to add some code at the very beginning so it will enforce the password protection.

<?php
include_once('configuration.php');
// The user is already authenticated and is reloading the page.
    // First check if cookie is set
    if (!isset($_COOKIE['verify'])) {
        // the cookie has been deleted, display login form
        header( 'Location: index.html' ) ;
    }
    // The cookie exists, check if cookie is good
    $found = false;  // initialize variable
    foreach($LOGIN_INFORMATION as $key=>$val) {
        $lp = $key .'%'.$val['password'];
        if ($_COOKIE['verify'] == md5($lp)) {
            // the user is already aunthenticated
            $found = true;
            // extend activity timeout
            setcookie("verify", md5($lp), $timeout, '/');
            break;  // break from the foreach
        }
    }
    if (!$found) {
        // The user is not authenticated, display login form
        header( 'Location: index.html' ) ;
    }
?>

And last but not least, we need to load the configuration file to the root of your website. On the configuration file are settings as the username-password pairs, the amount of time a user stays logged in and if a username-password pair is required or only a password to enter the site.

<?php
// Configuration Variables
// Use username-password combination?
$username = true;

// How long is the user able to be logged-in, in seconds. Set it to 0 to never logout.
$logout_in = 10;

// Array with the username-password combination.
// The guest account is where you configure the password
// when no username is required
$LOGIN_INFORMATION = array(
    'no_username' => array('password' => 'enter_the_password_here'),
    'user1' => array('password' =>'user1_password'),
    'user2' => array('password' =>'user2_password'),
    'user3' => array('password' =>'user3_password')
);

// Set the timeout for the cookie
    if ($logout_in == 0)
        $timeout=0;
    else
        $timeout=time()+$logout_in;

?>

It’s important to note that because all html files are parsed as php all the xml tags are interpreted as php code and this will cause a lot of errors and the site won’t work properly. In order to avoid this we need to tell PHP not to treat

You can get all the files required from the link below

Password_protect_iweb.zip




Attachments:

Password protect iweb


9/14