Posted by CANbike on Wed, 5 Feb 2014

PHP: Simple Password Protection with Session Timeout

The following PHP code is for creating a simple password protected page with a timeout session. It is an insecure primitive method for non-sensitive data, but useful nonetheless.

However, to improve security, the password is hashed and the protected content cannot be retrieved by a direct web link.

1-PHP Password-Protected-thumb.png2-PHP Session-Timeout-thumb.png3-PHP Password-Protected and Session-Timeout-thumb.png


Simple PHP Password Protection

Directory Structure


WEBSERVER
  |
  |--/localstorage
  |    |-content.html
  |
  |--/public_html
      |-password-protect.php

  • password-protect.php is the login page to access the content
  • /public_html is the web root directory viewable by the Internet
  • content.html is the protected web page
  • localstorage is a server directory not accessible by the Internet

password-protect.php

<?php
	# Check for POST login data, else set initial values
	if (isset($_POST["user"])) {
		$user=$_POST['user'];
		$pass=hash('sha256',$_POST['pass']);
	}
	else {
		$user="";
		$pass="";
	}

	# Check Login Data
	#
	# Password is hashed (SHA256). In this case it is 'admin'.
	if($user == "admin"
	&& $pass == "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918")
	{
		# Load content from local storage
		include("../localstorage/content.html");
	}
	else
	{
		# Show login form. Request for username and password
		{?>
			<html>
			<body>		
				<form method="POST" action="">
					Username: <input type="text" name="user"><br/>
					Password: <input type="password" name="pass"><br/>
					<input type="submit" name="submit" value="Login">
				</form>
			</body>
			</html>	
		<?}
	}
?>


Session Timeout

The following is a basic session timeout set for 10 minutes.

<?php
	session_start();

	# Check for session timeout, else initiliaze time
	if (isset($_SESSION['timeout'])) {	
		# Check Session Time for expiry
		#
		# Time is in seconds. 10 * 60 = 600s = 10 minutes
		if ($_SESSION['timeout'] + 10 * 60 < time()){
			session_destroy();
		}
	}
	else {
		# Initialize time
		$_SESSION['timeout']=time();
	}
?>


Password Protection & Session Timeout

The following adds a session timeout to the password protect script. POST data is stored in SESSION variables until a timeout occurs.

<?php
	session_start();

	# Check for session timeout, else initiliaze time
	if (isset($_SESSION['timeout'])) {	
		# Check Session Time for expiry
		#
		# Time is in seconds. 10 * 60 = 600s = 10 minutes
		if ($_SESSION['timeout'] + 30 * 60 < time()){
			session_destroy();
		}
	}
	else {
		# Initialize variables
		$_SESSION['user']="";
		$_SESSION['pass']="";
		$_SESSION['timeout']=time();
	}

	# Store POST data in session variables
	if (isset($_POST["user"])) {	
		$_SESSION['user']=$_POST['user'];
		$_SESSION['pass']=hash('sha256',$_POST['pass']);
	}

	# Check Login Data
	#
	# Password is hashed (SHA256). In this case it is 'admin'.
	if($_SESSION['user'] == "admin"
	&& $_SESSION['pass'] == "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918")
	{
		# Load content from local storage
		include("../protected/password_protected_content.html");
	}
	else
	{
		# Show login form. Request for username and password
		{?>
			<html>
			<body>		
				<form method="POST" action="">
					Username: <input type="text" name="user"><br/>
					Password: <input type="password" name="pass"><br/>
					<input type="submit" name="submit" value="Login">
				</form>
			</body>
			</html>	
		<?}
	}
?>


Store the Password in a File

For increased security, the password can be stored in a local file not accessible by the Internet.


WEBSERVER
  |
  |--/localstorage
  |    |-content.html
  |    |-password.sha
  |
  |--/public_html
      |-password-protect.php

where password.sha content is

8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

Retrieving the Password

The stored value can be retrieved by the file_get_contents() command. For example,

# Fetch password
$retrievedpassword = trim(file_get_contents("../localstorage/password.sha"));

# Check Login Data
if($_SESSION['user'] == "admin" && $_SESSION['pass'] == $retrievedpassword){
    # Load content from local storage
    include("../protected/password_protected_content.html");
}

Related Item(s):