View Full Version : Password Protection ?

12-13-2003, 03:10 AM

My client would like me to create a secure download page on his site that is password protected. He wants his IT guy to be able to change the password on a regular basis. He wants total control over the clients ability to access this stuff.

Here is his idea on how to approach it:
He wants to be able to send an email to his clients that has a link that directs the clients to this password protected area. However, he wants it such that when the client clicks on the link he gains access to the area without having to type in a password. (in otherwords the password in embedded in the email). However, if someone goes directly to the site, not throuhg my client's email, that person could not gain access without typing in the proper username and password. I think he wants to do this because that way he is never actually giving anyone the actual password.

I looked around the net and can't seem to find a script to do what I mentioned above. My client is insistent that I do it. I told him that it wouldn't be very secure, and he said, "I don't see how it will be any less secure. . . This doesn't have to be Fort Nox. . . I just don't want it available to the general public." I'm not knowledgeable enough to explain to him why I think its a bad idea. I tried to reccomend some options that I thought were more appropriate, but he wouldn't go for it.

I know how to password protect files and areas, but I don't know how to password protect a file, then to send someone a link to that file in email such that the person clicking on the link can access the file without typing in a password. Can anyone help me? I can't find the answer on the net,. .

He wants a password protected area, with one global password that can be easily changed every month,. He wants to be able to email clients instant access to this protected area without actually giving them a password. One person suggested doing a "hasH' on the password in the email link. But I'm still not sure how to do that to achieve my goal. Any one know of a tutorial page? Another person said that I should use cookies, but I don't see how that would work since the goal is that the user will never actually type the password themselves. Any suggestions?

12-13-2003, 07:39 AM
I've thinking... and found your answer!

First, in the body of mail, make a form that, when the user clicks on the link, submit it and send an hidden value (method POST)...

Now, just receive this value, with the page of login and accept it!

"I don't think this have any security... Because any page with a submit like mine, can access the page..."

For this, I hava a trick that works 90% of times. When the user clicks the link, and open the LoginPage... A PHP variable is available... $HTTP_REFERRER... what to do? Example: if the user has a @yahoo.com email.... verify if the URL that brought the user here, has the words yahoo.com on it. With this only certain page (domains...) can access the page via this method.