你如何用密码保护博主帖子?

时间:2013-03-19 05:45:00

标签: php javascript blogger protection

我已经多次看过这个问题 - 只是不在这里。这一点的答案都说在javascript中使用使用凭证(我们都知道客户端凭据无法进行身份验证:)

场景是我想在我的博客上控制某个页面 - 直到我把它放到每个人身上。我有自己的域名,所以我可以托管php脚本。我已经尝试过Blogger的阅读器过滤器了 - 这很棒,但是对于没有Gmail帐号的观众来说,这是一个真正的痛苦

1 个答案:

答案 0 :(得分:0)

这是我的解决方案(使用Javascript - 但客户端没有用户+密码验证)。这是一场黑客攻击 - 但是在我吃饭之前,我还有其他的鱼可以捕获并且还有很长的路要走。

 The initial page call is this:
    http://YOUR.DOMAIN.COM/manager.php?p=login
 That prompts for the username and password 
        - ala this: http://www.php.net/manual/en/features.http-auth.php
 After login some encryption is done on an authentication cookie 
        - ala this: http://php.net/manual/en/function.mcrypt-decrypt.php
        -  or this: http://php.net/manual/en/function.openssl-decrypt.php
 The cookie is set
        - ala this: http://www.php.net/manual/en/function.setcookie.php
 And then the php file calls this present page via the following 
        - header('Location: http://YOUR2.DOMAIN.COM/p/page.html');
 * YOUR2.DOMAIN.COM points to blogger; the page is this file here which will grab the file data and insert it into a div on the page
        - see info here: http://support.google.com/blogger/bin/static.py?hl=en&ts=1233381&page=ts.cs
 Based on the param and confirming that the cookie is valid, manager.php gets the real file data and sends it out
        - ala this: http://php.net/manual/en/function.file-get-contents.php

将以下内容放入空白的Blogger页面 - 注意更换YOUR.DOMAIN.COM的实例

<script type="text/javascript" src="http://YOUR.DOMAIN.COM/scripts/jquery-1.8.3.min.js"></script>
<script type='text/javascript'>
 var $pageUrl = "http://YOUR.DOMAIN.COM/manager.php?p=page1"; // so cool how you could setup your own domain!

 function doInitStuff()
 {
    if ($alreadyInited) return; 
    $alreadyInited = true;
    // a little hack - because though I said share cookies among (*) ".DOMAIN.COM" it wasn't getting sent
    // although it's obviously there since we get it here on YOUR2.DOMAIN.COM (originally set on YOUR.DOMAIN.COM)
    $cookies = document.cookie; 

    $result = $.ajax
    ({
        type: "GET",
        url: $pageUrl,
        dataType: 'json', // or whatever
        async: false, // force this to complete before moving on (should be quick though - since already logged in)
        //   username: 'username', // would get these from a prompt/html form - but should have already gone directly to the site to authenticate
        //   password: 'password', // did it that way, because wasn't able to get the u/p to be properly sent... this new way is better anyway
        data: $cookies, // send along the cookies - they should show up in $_GET
        success: function (result, status, jqXHR){
            // good - but for some reason wasn't getting result - just move on...
        },
        error: function (){
            // not good
        }
    });

    if ($result.status == 200)
    {
        // insert our data into our nice Div
        $('#realpageinfo').html($result.responseText);
    }

    // grrrrrr. ie strikes again! use iframes instead
    var isMSIE = eval("/*@cc_on!@*/!1");
    if ($('#realpageinfo').html() == '' || isMSIE)
    {
        //$('#realpageinfo').replaceWith("<div id='realpageinfo' style='font-weight:bold;color:red'>Internet Explorer? Sorry, but please use a different Browser.</div>");
        $('#realpageinfo').replaceWith("<div id='realpageinfo'><iframe id='realpageframe' style='width:100%;height:700px' src='" + $pageUrl + "'></iframe></div>");
    }
 }

 // Don't mind this - multiple ways to ensure the main worker function is called
 var $alreadyInited = false;
 $(document).ready(function() { doInitStuff(); });
 window.addEventListener('DOMContentLoaded',function() { doInitStuff(); });

</script>

<div id='realpageinfo'></div>

现在是服务器端

<?php
    $cookieName = 'my_auth_cookie';
    $loggedInCookieVal = $_COOKIE[$cookieName];

    if (!isset($loggedInCookieVal))
    {
            $loggedInCookieVal = $_GET[$cookieName]; // was it passed in instead of coming through the Cookie channel?
    }

    // if $loggedInCookieVal is set, decrypt it and pull username + pwd from it - if succeeds, set $cookieValsDecrypted
    // otherwise see if the user just sent them back in response to a challenge

    // these are empty before login - and set in response to the challenge
    $curUser = $_SERVER['PHP_AUTH_USER'];
    $curPswd = $_SERVER['PHP_AUTH_PW'];

    if (!$cookieValsDecrypted && (!isset($curUser) || !isset($curPswd)))
    {
        // ask the user to authenticate (again if have to)

        header('WWW-Authenticate: Basic realm="YOUR.DOMAIN.COM"');
        header('HTTP/1.0 401 Unauthorized');

        echo "You gotta login bud - but you canceled instead";

        exit;

    } else {

        // check $curUser and $curPswd against a db or .htpasswd file, etc - or check $cookieValsDecrypted

        // if all good then send the file
        if ($matched)
        {
            switch($_GET['p'])
            {
                case 'login': // just came here to login - now done, go on to the real page that pulls the value
                    header('Location: http://YOUR2.DOMAIN.COM/p/page.html');
                break;

                case 'page1':
                    echo file_get_contents ('./page1.txt'); // show the date
                break;
            }
        } else {
            // else send the auth request again
            header('WWW-Authenticate: Basic realm="YOUR.DOMAIN.COM"');
            header('HTTP/1.0 401 Unauthorized');

            echo "Try something else, maybe";
        }
    }
?>

就是这样......随意改进。请在此处查看ClyntonCaines.Com

相关问题
最新问题