Password Protect
Password Protect let's GetSimple CMS users assign a password to their pages, a user can enter a password to gain access to the page.
A very simple plugin to use and is ideal for webmasters that need a quick and simple way to password restrict a page.
Screenshots
Page edit form
![[Image: screenshot1.png]](https://github.com/HelgeSverre/password-protect/raw/master/assets/screenshot1.png)
Frontend view password prompt
![[Image: screenshot2.png]](https://github.com/HelgeSverre/password-protect/raw/master/assets/screenshot2.png)
Download
Extend
GitHub
You should never keep unhashed passwords in database/files
instead of
Code:
$note->addCData($password);
at very least use:
Code:
$xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);
not required in this case.
Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php
regards
(2016-03-14, 00:36:43)Bigin Wrote: [ -> ]You should never keep unhashed passwords in database/files
instead of
Code:
$note->addCData($password);
at very least use:
Code:
$xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);
addCData not required in this case.
Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php
regards
Yes, In ordinary circumstances it is true that you should
never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
- The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
- It is only view-able to admins.
- If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
- The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.
(2016-03-13, 23:31:18)Charpy1 Wrote: [ -> ]Great idea!
I did a french lang file (http://get-simple.info/extend/plugin-lan...ugin/1023/ ), you may include it if you want.
Hmmm.. You are saving the password in clear text, aren't you?
Thanks!
I have included the translation in GitHub, will put it out into extend soon.
(2016-03-14, 04:53:44)HelgeSverre Wrote: [ -> ]Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
- The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
- It is only view-able to admins.
- If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
- The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.
I do not see any reason why you would want to store the password in plain text, it's definitely not correct!
(2016-03-14, 05:25:35)Bigin Wrote: [ -> ] (2016-03-14, 04:53:44)HelgeSverre Wrote: [ -> ]Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
- The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
- It is only view-able to admins.
- If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
- The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.
I do not see any reason why you would want to store the password in plain text, it's definitely not correct!
You are free to use another plugin or create your own in that case.
Please don't take it that way.. You shouldn't be offensed, and every here is thankfull to you for contributing to GS with this plugin.
You also have to consider that if you share your plugin, other may not have the same needs that you have. Security isn't a small issue, for both integrity of the GS websites and the GS reputation.
I think that for such a plugin, both password AND page content has to be stored hashed, with salt, AES1024 and everything! I don't have enough skills to improve it by myself, however.
I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature also for sharing.
(2016-03-14, 07:22:44)shawn_a Wrote: [ -> ]I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature also for sharing.
Yup, was what I thought as well.
You made a point. But you can't assume that the page content isn't some vital informations, so.. hmm.
Well, it's also possible to make password encryption an option, I guess...?
(2016-03-14, 07:22:44)shawn_a Wrote: [ -> ]I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.
The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"
(2016-03-14, 07:22:44)shawn_a Wrote: [ -> ]Visible password is a feature also for sharing.
Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request
(2016-03-14, 18:17:27)Bigin Wrote: [ -> ] (2016-03-14, 07:22:44)shawn_a Wrote: [ -> ]I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.
The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"
(2016-03-14, 07:22:44)shawn_a Wrote: [ -> ]Visible password is a feature also for sharing.
Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request
I said no.
Very useful.
Thank you!
C.
Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks
Nico
[
attachment=679]
(2016-04-04, 23:55:06)nicolap Wrote: [ -> ]Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks
Nico
actually it makes me install it, but then it gives me error and the plugin gets automatically disabled; and afterwards the website get empty.
turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.
(2016-04-05, 06:37:49)shawn_a Wrote: [ -> ]turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.
Thanks, Will check it out when I have a spare moment.
I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.
thanks for a hint
Nicola
www.lamossa.net
(2016-04-07, 05:56:59)nicolap Wrote: [ -> ]I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.
thanks for a hint
Nicola
www.lamossa.net
What web host are you using?
(2016-04-07, 22:32:04)HelgeSverre Wrote: [ -> ] (2016-04-07, 05:56:59)nicolap Wrote: [ -> ]I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.
thanks for a hint
Nicola
www.lamossa.net
What web host are you using?
lamossa.net is under F5 BIG-IP APACHE hosted by OVH
I've also tried the plugin at lamichetta.it, that is under LINUX APACHE hosted by ARUBA
same result, the website gets blank.
I've tried this from my company network and from home with a private connection
Is it the first time you hear of such a bug...?
thanks
Might be php version problem the error log will say a fatal error if you have white screen of death
Do you know which PHP version you are running on, I used a short array declaration "[]" in the plugin, if your PHP version doesn't support that it could possibly cause the errors you are having.
I am receiving the same thing. I activate the plugin and site goes blank.
Turned on debugging and got this:
Code:
Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56
Running PHP 5.3
(2016-04-15, 12:33:54)mengi Wrote: [ -> ]I am receiving the same thing. I activate the plugin and site goes blank.
Turned on debugging and got this:
Code:
Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56
Running PHP 5.3
This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".
Upgrade your PHP version.
(2016-04-21, 18:33:02)HelgeSverre Wrote: [ -> ]This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".
Upgrade your PHP version.
If you just changed that line to
$html = array(); your plugin would be compatible with PHP 5.2, which, by the way, is the minimum required by GS.
There are many many hosts using PHP 5.3 (and quite a lot with 5.2)