WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Individual page password protection isn't working (9 posts)

  1. geraldisaacs
    Member
    Posted 7 years ago #

    I couldn't find a way to limit specific page access to logged-in registered website (http://whs59.net)members, and my inquiry to this forum did not get any response.

    So I tried writing a test page (page 86) and selected the password protect option. I created a password for the page. The first time I accessed the page, I entered the password (I will set a temporary password to 'testing' until I can resolve my problem), and the 'protected' page came up.

    So I logged out. Closed IE. Reentered, and tried to access the page. It came up without requiring any password. Is this a bug? Apparently once a given computer has been used to visit my site, any user has perpetual access to page 86 from that computer, either by tweaking the url to page 86 or by linking through the sidebar 'members' option. Can I fix this?

  2. moshu
    Member
    Posted 7 years ago #

    It came up without requiring any password. Is this a bug?

    I'd call it a "cookie" ;)

  3. geraldisaacs
    Member
    Posted 7 years ago #

    Is there some way to prevent the password from being saved in a cookie? I know that my passwords aren't saved when I enter a lot of the sites I work with, like vanguard.com or Chase.com or citibank.com or paypal.com. A cookie to access confidential data should not be left on any computer. A casual user of a publically available computer could allow a subsequent user to access the data.

  4. moshu
    Member
    Posted 7 years ago #

    I am not a cookie wizard but there should be a possibility to set the expire time of the cookie.
    Maybe someone else can help or in the meantime you could try a search.

  5. geraldisaacs
    Member
    Posted 7 years ago #

    If I knew how or where wordpress sets the cookie, I might be able to disable the command to create the cookie in the first place, or to make it expire in 10 minutes instead of a year. The codex refers to only two cookies, related to the sign-in username and password, but this is obviously another cookie, because it is not destroyed when I sign out. The codex says that the others are destroyed when you sign out.

    It would seem that someone could create a script that sends the user to the login page anytime he tries to access the protected page and sends him to the real page otherwise. But this wouldn't keep someone from fishing around for the right page number, would it?

    Another idea I saw alluded to .htaccess and .htpasswrd and protecting directories from access by non-logged-in viewers. I guess you put the private page in the protected directory, but it was too esoteric and convoluted and fragmentary for this mechanical engineer.

    Guess I'll just have to make a page that says: If you want a list of classmates with their addresses, phone numbers, and email addresses, contact the editor or the website administrator. Not eloquent, not dynamic, but it sorta does the job.

    This amounts to a rather disappointing semi-hemi-demi-quasi-faux-resolution to the problem. I'll leave the status as unresolved for a while in case someone can provide further insight.

  6. geraldisaacs
    Member
    Posted 7 years ago #

    I found the magic line in /wordpress/wp-pass.php and reset the time from 10 days to 1 minute

    // 1 minute
    setcookie('wp-postpass_' . COOKIEHASH, $_POST['post_password'], time() + 60, COOKIEPATH);

    Now someone loses access if he leaves the page for more than 60 seconds, but he can get back in without re-entering the password if he tries within 60 seconds.

    Will change status to resolved.

    Thanks for your help.

  7. syncbox
    Member
    Posted 6 years ago #

    This seems counter productive to me. I'm struggling with it, too - 1 minute is too short and 1 yr too long and why is it set up in a way that requires someone to dig through core code? Is there a core function for password protecting a page that you can reference in a file (like page.php) where you could say:

    `if (is_page(x)) {
    wp_whateverfunctionforpassword('minutes'); }
    else {whatever}
    '

    where the function would either show a password field and button or not based on the state of the cookie?

    I mean, I'm alright with modifying core files, but isn't WP supposed to avoid having to do that?

  8. syncbox
    Member
    Posted 6 years ago #

    Um, modifying that function doesn't seem to have any effect in Firefox. I had to physically go into my Firefox cookies and manually remove the cookie to get the password form to show back up for a test page.

    weird.

    this after setting it to the 60 seconds per the above suggestions and then using web developer tools to clear cookies.

    any suggestions anyone?

  9. Babas
    Member
    Posted 6 years ago #

    Hey,
    Please could you (the helpful answerers) do not forget his initial question that was :
    ... how to restrict access to certain pages to valid logged-in users....
    without any answer that is why the member started to change code about cookie, which is not really relevant to my experience.
    Can anyone say if the requested functionnality still exist in WP ? how to do it ? or when will it be added into next release if the team seems it relevant....
    Thank you

Topic Closed

This topic has been closed to new replies.

About this Topic