Password protecting your site
Posted by ark, ,
I wanted to loosely password protect my website. I wanted to do this so that search engines wouldn't index the site and so that random people I didn't know wouldn't read it (without some work) but so that it was easy as pie for people I did know to get in and see what they want.

The solution I came up with was a form that asks for a password (there are no user names) and if you enter it correctly sets a cookie on your browser that should last for a year. Every time you visit the site your cookie life is extended. So as long as you come to the site at least once a year it should never ask you for a password again. I made the password ridiculously easy that anyone who knew me would know the answer to. I also made it possible to have a list of acceptable passwords so you could ask for the name of one of my cats and any correct name would get you in.

I didn't want to use basic http auth since there's not enough room to explain why you're asking for a password or to give hints about what might work and it also requires a username which further complicates matters, you can only tell people what to enter after they have failed once, and that's a bad user experience.

The devil's in the details of course, I usually run Cookie Safe which selectively allows me to allow sites to set cookies and I'm very frustrated when a page tries to set cookies, fails, but doesn't tell me. So I try and detect that scenario and report an error if it happens. If you're only allowing session cookies I try and set one of those too, but then you'll need to type a password next time you visit.

I also wanted it to be modular, so I could use the same code from many pages, so I made it a php include that you could use with only a small amount of code in the page you're protecting (your blogger template for example).

Here's how you use it

1. download restrict.php and save it as restrict.php somewhere on your server.

2. Create a page with the form users will enter the password on. A minimal example is included below:
<?php
if (isset($ARK_RESTRICT_ERROR)) {
print "<h1>$ARK_RESTRICT_ERROR</h1>\n";
}
?>
<p>Access to this site is restricted!</p>

<p>Please enter my favorite color:<br />
<form method="post" action="<?php echo CurrentPageUrl() ?>">
<input type="text" name="answer" />
<input type="submit" value="submit"/>
</form>
However, remember, this is the page search engines will see, so you might want to include a:
<meta name="ROBOTS" content="NOINDEX,NOFOLLOW" />
at the top and perhaps some better instructions or explaining why you do this. You might want to use the same template you use on the rest of your site?

3. Now for every page you want to protect you need to add this at the very very top of the page:
<php
$ARK_RESTRICT_ANSWERS = array('red', 'no', 'blue', 'arghhh');
$ARK_RESTRICT_FORM = '/www/html/form.php';
include_once('/www/html/restrict.php');
?>
Make sure you add it at the very very top, since it sets some cookies and senders a Location: HTTP header if anything is output before it runs there will be errors.

Note how you provide the paths to the files on the web server machine (do not use urls).

Thats it, should just work now. Hope you find it useful.

Possible improvements:

TODO(ark) add a long error description variabletoo
TODO(ark) try and set cookies using javascript and report an error if there is one before the user even tries a password.

Comments

Posted Thursday 24 April 2008 Share