Protect kirby pages

gistfile1.txt

# The Snippet


<?php

// getting the username and password
$LOGIN_INFORMATION = array(
  (string)$page->benutzernamen() => $page->passwort()
//  'user' => 'password',
);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', true);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://www.kreisvier.ch');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 10);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', flalse);

// setting end

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
  
<?php snippet('header') ?>

<!-- Login -->
<hr />
<hr />
<div class="container">
  <div class="row">
    <div class="twocol"></div>
    <div class="eightcol">
    	<h1>Anmeldung erforderlich:</h1>
        <h3><span style="color:#DB1010"><?php echo $error_msg; ?></span></h3>
        <form method="post">
			<input type="input" name="access_login" class="protect" /><br />
			<input type="password" name="access_password" class="protect" /><br /><br />
			<input type="submit" name="Anmelden" value="Anmelden" class="button" />
		</form>        
      </div>
    </div>
    <div class="twocol last"></div>
  </div>
</div>
  
<?php snippet('footer') ?>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) 
  ) {
    showLoginPasswordProtect("Ihre Zugangsdaten sind ungültig. Melden Sie sich bitte bei Ihrem Berater.");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
    
    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables
    unset($_POST['access_login']);
    unset($_POST['access_password']);
    unset($_POST['Submit']);
  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
  }

}

?>

# The PHP Template
## Goes on line one of the template

<?php
if ($page->passwort() != '')
  snippet('protect');
?>

# The Content Text File

Benutzernamen: 

----

Passwort: 

Pretty cool idea in general, but having the username and password stored in the content txt is very insecure. Anyone who knows the structure of Kirby could just try to open the matching txt file in the browser and read the password and username. Would be better to store them in a file, which is not in the document root of the site somewhere and then include it.

True - I went with this not for tight security but just for a quick way how to block it. You can also include the passwords like this in PHP:

// getting the username and password
$LOGIN_INFORMATION = array(
user1 => pass1,
user2 => pass2,
// 'user' => 'password',
);