Password protect your blog

Freshness Warning
This article is over 14 years old. It's possible that the information you read below isn't current.

I’ve got a new project, let’s call it Project X, and one of the things I needed to do was set up a password-protected blog on an existing installation of Movable Type. Everyone that has a user account in MT needs to be able to view the blog. I also needed to use basic HTTP authentication so that the RSS feed could be password protected but still be accessed by feed readers that know the password.

I created a single PHP file that is included at the top of each page in the blog, including the RSS feed. In order to get the PHP included, each page needs to be processed by PHP. You’ll need to use all .php file extensions (even for the RSS) or get your Web server to process HTML and XML files for PHP as well. (See the end of this article for information on doing that in Apache.)

Your Web server will now ask for a username and password before it will serve any page that includes the file. The username and password are then checked against MT’s database to see if you have the correct credentials. If you do, you won’t be asked to log in again until you close your browser.

Read on for the code. Keep in mind that this only works if you are using MySQL for a database, use PHP to output your site, and want your blog to be available to any user who can log into your copy of MT.

<?php
is_user_valid();

function is_user_valid() {
     $auth=false;
     if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) { 
  		$db=mysql_connect ("localhost", "yourusername", "yourpassword") or die ('I cannot connect to the database.');
  		mysql_select_db ("yourdatabase"); 
  		$sql = "SELECT author_password FROM mt_author WHERE author_name = '".mysql_real_escape_string($_SERVER['PHP_AUTH_USER'])."'";
  		$result = mysql_query($sql) or die ("Bad query");
  		while ($row = mysql_fetch_array($result)) {
   			$real_pass = $row['author_password'];
   		}
  		if (crypt($_SERVER['PHP_AUTH_PW'], substr($real_pass, 0, 2)) == $real_pass) {
   			$auth = true;
   		}
      } 
     if (!$auth) { 
          header( 'WWW-Authenticate: Basic realm="The hidden Blog"' ); 
          header( 'HTTP/1.0 401 Unauthorized' ); 
          echo 'Authorization Required.'; 
          exit(); 
      } else { 
          return true; 
      } 
}
?>

To get Apache to run HTML and XML files as PHP just add the following to your .htaccess file…

AddType application/x-httpd-php .html
AddType application/x-httpd-php .xml

Adam Kalsey
August 14, 2004 9:59 PM

Bill: Those two variables are set when by the Web server when you submit the basic authentication form. The loop isn't really a problem since the SQL always returns one row. So it only executes once. Scott: The MySQL auth module should work, but as you said, you need to me able to install a module. Most people can't. I'd also want to review the source of that before using it. (And you have to be using Apache.) An alternative would be to write an authentication wrapper for Apache in Perl if you have mod_perl running.

Trackback from synapse
August 14, 2004 11:25 PM

Password protection and MT

Excerpt: Adam Kalsey has a dandy way to restrict your Movable Type blog to authors only.

cVaughn
August 15, 2004 12:37 PM

This looks exactly like what I need. You mentioned 5.0 won't work. I've got php4.3.4- will it work? I'm also running cgi-wrap (php-cgiwrap), using mySQL, and configured for php files.

Joey Horne
September 2, 2004 2:19 PM

When applying this code, I get the following error: Warning: main(protect.php): failed to open stream: No such file or directory in /home/jhornef/public_html/journal/index.php on line 5 Warning: main(): Failed opening 'protect.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/jhornef/public_html/journal/index.php on line 5 Any ideas?

Adam Kalsey
September 2, 2004 2:26 PM

You have an error that says Warning: main(protect.php): failed to open stream: No such file or directory That always means you're trying to include a file that doesn't exist. Either protect.php isn't on your server or it iisn't in the spot on your server where journal/index.php is at.

brad
September 6, 2004 12:35 PM

it's not working for me. it seems it never enters the first "if" loop. using php 4.3.8

Trackback from Mama Write's Sideblog
September 14, 2004 11:11 AM

Password Please

Excerpt: Password protect a blog using MT author credentials. Something to consider if/when I include blogs in my 102 course website....

Trackback from Mama Write's Sideblog
September 14, 2004 11:19 AM

Password Please!

Excerpt: How to password protect a blog using MT author credentials. Intriguing idea for my 102 website if/when I include blogging as a course requirement....

Trackback from sideblog
September 17, 2004 3:45 PM

Need a password?

Excerpt: Password protect your blog :: Kalsey Consulting Group...

Trackback from Links
September 17, 2004 10:11 PM

Password Protecting Your Blog

Excerpt: In case you want to password protect an entry in Movable Type.

Christian
September 18, 2004 9:32 AM

There's a problem with the code. One of your curly brackets (whatever) is in the wrong place. The while statements should contain the following if statement. Like this: while ($row = mysql_fetch_array($result)) { $real_pass = $row['author_password']; if (crypt($_SERVER['PHP_AUTH_PW'], substr($real_pass, 0, 2)) == $real_pass) { $auth = true; }//end if }//end while

Trackback from Five Live Links
November 3, 2004 11:31 AM

Password protect your blog :: Adam Kalsey

Excerpt: Only works for some blogs and some hosts (where you control the templates, and can add and execute PHP). But still useful....

ByteRun
November 17, 2004 12:46 PM

Probably last statement else statement ( ...} else { return true; }... ) is useless because function always returns true or stops execution.

Ton Ensing
November 17, 2005 2:07 PM

Discovered this more than a year later but it's great nonetheless. I'm curious though if it would be possible to limit access to the author(s) associated with the blog_id=x, not just every author in the MySQL database.

crys
December 8, 2005 1:44 PM

So, I'm trying to password protect my blog, could you break down the instructions for me? I'm sorry, I am a little computer illiterate. Thanks Crys

These are the last 15 comments. Read all 24 comments here.

This discussion has been closed.

Follow me on Twitter

Best Of

  • How not to apply for a job Applying for a job isn't that hard, but it does take some minimal effort and common sense.
  • Movie marketing on a budget Mark Cuban's looking for more cost effective ways to market movies.
  • California State Fair The California State Fair lets you buy tickets in advance from their Web site. That's good. But the site is a horror house of usability problems.
  • Customer reference questions. Sample questions to ask customer references when choosing a software vendor.
  • Comment Spam Manifesto Spammers are hereby put on notice. Your comments are not welcome. If the purpose behind your comment is to advertise yourself, your Web site, or a product that you are affiliated with, that comment is spam and will not be tolerated. We will hit you where it hurts by attacking your source of income.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

Recently

Assumptions and project planning (Feb 18)
When your assumptions change, it's reasonable that your project plans and needs change as well. But too many managers are afraid to go back and re-work a plan that they've already agreed to.
Feature voting is harmful to your product (Feb 7)
There's a lot of problems with using feature voting to drive your product.
Encouraging 1:1s from other managers in your organization (Jan 4)
If you’re managing other managers, encourage them to hold their own 1:1s. It’s such an important tool for managing and leading that everyone needs to be holding them.
One on One Meetings - a collection of posts about 1:1s (Jan 2)
A collection of all my writing on 1:1s
Are 1:1s confidential? (Jan 2)
Is the discussion that occurs in a 1:1 confidential, even if no agreed in the meeting to keep it so?
Skip-level 1:1s are your hidden superpower (Jan 1)
Holding 1:1s with peers and with people far below you on the reporting chain will open your eyes up to what’s really going on in your business.
Do you need a 1:1 if you’re regularly communicating with your team? (Dec 28)
You’re simply not having deep meaningful conversation about the process of work in hallway conversations or in your chat apps.
What agenda items should a manager bring to a 1:1? (Dec 23)
At least 80% of a 1:1 agenda should be driven by your report, but if you also to use this time to work on things with them, then you’ll have better meetings.

Subscribe to this site's feed.

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

Twitter, etc: akalsey

Resume

PGP Key

©1999-2019 Adam Kalsey.