Password Protected - Version 1.2

Version Description

  • Use cookies instead of sessions.
Download this release

Release Info

Developer husobj
Plugin Icon 128x128 Password Protected
Version 1.2
Comparing to
See all releases

Code changes from version 1.1 to 1.2

Files changed (3) hide show
  1. password-protected.php +152 -15
  2. readme.txt +6 -2
  3. theme/login.php +1 -0
password-protected.php CHANGED
@@ -4,7 +4,7 @@
4
  Plugin Name: Password Protected
5
  Plugin URI: http://www.benhuson.co.uk/
6
  A very simple way to quickly password protect your WordPress site with a single password. Integrates seamlessly into your WordPress privacy settings.
7
- Version: 1.1
8
  Author: Ben Huson
9
  Author URI: http://www.benhuson.co.uk/
10
  License: GPLv2
@@ -27,17 +27,13 @@ along with this program; if not, write to the Free Software
27
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28
  */
29
 
30
- // Start session if not already started...
31
- if ( session_id() == '' )
32
- session_start();
33
-
34
  // Setup Password Protected
35
  global $Password_Protected;
36
  $Password_Protected = new Password_Protected();
37
 
38
  class Password_Protected {
39
 
40
- var $version = '1.1';
41
  var $admin = null;
42
  var $errors = null;
43
 
@@ -67,6 +63,8 @@ class Password_Protected {
67
 
68
  /**
69
  * Disable Feeds
 
 
70
  */
71
  function disable_feeds() {
72
  add_action( 'do_feed', array( $this, 'disable_feed' ), 1 );
@@ -93,18 +91,28 @@ class Password_Protected {
93
  $pwd = get_option( 'password_protected_password' );
94
  // If correct password...
95
  if ( md5( $password_protected_pwd ) == $pwd && $pwd != '' ) {
96
- $_SESSION[$this->get_site_id() . '_password_protected_auth'] = 1;
 
 
 
 
97
  } else {
98
  // ... otherwise incorrect password
 
99
  $this->errors->add( 'incorrect_password', 'Incorrect Password' );
100
  }
101
  }
102
 
103
  // Log out
104
- if ( isset( $_REQUEST['action'] ) && $_REQUEST['action'] == 'logout' ) {
105
- $_SESSION[$this->get_site_id() . '_password_protected_auth'] = 0;
106
- $this->errors = new WP_Error();
107
- $this->errors->add( 'logged_out', __( 'You are now logged out.' ), 'message' );
 
 
 
 
 
108
  }
109
  }
110
 
@@ -117,12 +125,21 @@ class Password_Protected {
117
  return;
118
 
119
  // Logged in
120
- if ( isset( $_SESSION[$this->get_site_id() . '_password_protected_auth'] ) && $_SESSION[$this->get_site_id() . '_password_protected_auth'] == 1 )
121
  return;
122
 
123
  // Show login form
124
- include( dirname( __FILE__ ) . '/theme/login.php' );
125
- exit();
 
 
 
 
 
 
 
 
 
126
  }
127
 
128
  /**
@@ -130,7 +147,127 @@ class Password_Protected {
130
  */
131
  function get_site_id() {
132
  global $blog_id;
133
- return apply_filters( 'password_protected_blog_id', $blog_id );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
134
  }
135
 
136
  /**
4
  Plugin Name: Password Protected
5
  Plugin URI: http://www.benhuson.co.uk/
6
  A very simple way to quickly password protect your WordPress site with a single password. Integrates seamlessly into your WordPress privacy settings.
7
+ Version: 1.2
8
  Author: Ben Huson
9
  Author URI: http://www.benhuson.co.uk/
10
  License: GPLv2
27
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28
  */
29
 
 
 
 
 
30
  // Setup Password Protected
31
  global $Password_Protected;
32
  $Password_Protected = new Password_Protected();
33
 
34
  class Password_Protected {
35
 
36
+ var $version = '1.2';
37
  var $admin = null;
38
  var $errors = null;
39
 
63
 
64
  /**
65
  * Disable Feeds
66
+ *
67
+ * @todo An option/filter to prevent disabling of feeds.
68
  */
69
  function disable_feeds() {
70
  add_action( 'do_feed', array( $this, 'disable_feed' ), 1 );
91
  $pwd = get_option( 'password_protected_password' );
92
  // If correct password...
93
  if ( md5( $password_protected_pwd ) == $pwd && $pwd != '' ) {
94
+ $this->set_auth_cookie();
95
+ if ( ! empty( $_REQUEST['redirect_to'] ) ) {
96
+ wp_redirect( $_REQUEST['redirect_to'] );
97
+ exit;
98
+ }
99
  } else {
100
  // ... otherwise incorrect password
101
+ $this->clear_auth_cookie();
102
  $this->errors->add( 'incorrect_password', 'Incorrect Password' );
103
  }
104
  }
105
 
106
  // Log out
107
+ if ( isset( $_REQUEST['password-protected'] ) && $_REQUEST['password-protected'] == 'logout' ) {
108
+ $this->logout();
109
+ $redirect_to = remove_query_arg( array( 'password-protected', 'redirect_to' ), ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
110
+ $query = array(
111
+ 'password-protected' => 'login',
112
+ 'redirect_to' => urlencode( $redirect_to )
113
+ );
114
+ wp_redirect( add_query_arg( $query, home_url() ) );
115
+ exit();
116
  }
117
  }
118
 
125
  return;
126
 
127
  // Logged in
128
+ if ( $this->validate_auth_cookie() )
129
  return;
130
 
131
  // Show login form
132
+ if ( isset( $_GET['password-protected'] ) && 'login' == $_GET['password-protected'] ) {
133
+ include( dirname( __FILE__ ) . '/theme/login.php' );
134
+ exit();
135
+ } else {
136
+ $query = array(
137
+ 'password-protected' => 'login',
138
+ 'redirect_to' => urlencode( ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] )
139
+ );
140
+ wp_redirect( add_query_arg( $query, home_url() ) );
141
+ exit();
142
+ }
143
  }
144
 
145
  /**
147
  */
148
  function get_site_id() {
149
  global $blog_id;
150
+ return 'bid_' . apply_filters( 'password_protected_blog_id', $blog_id );
151
+ }
152
+
153
+ /**
154
+ * Logout
155
+ */
156
+ function logout() {
157
+ $this->clear_auth_cookie();
158
+ do_action( 'password_protected_logout' );
159
+ }
160
+
161
+ /**
162
+ * Validate Auth Cookie
163
+ */
164
+ function validate_auth_cookie( $cookie = '', $scheme = '' ) {
165
+ if ( ! $cookie_elements = $this->parse_auth_cookie( $cookie, $scheme ) ) {
166
+ do_action( 'password_protected_auth_cookie_malformed', $cookie, $scheme );
167
+ return false;
168
+ }
169
+ extract( $cookie_elements, EXTR_OVERWRITE );
170
+
171
+ $expired = $expiration;
172
+
173
+ // Allow a grace period for POST and AJAX requests
174
+ if ( defined( 'DOING_AJAX' ) || 'POST' == $_SERVER['REQUEST_METHOD'] )
175
+ $expired += 3600;
176
+
177
+ // Quick check to see if an honest cookie has expired
178
+ if ( $expired < time() ) {
179
+ do_action('password_protected_auth_cookie_expired', $cookie_elements);
180
+ return false;
181
+ }
182
+
183
+ $pass = md5( get_option( 'password_protected_password' ) );
184
+ $pass_frag = substr( $pass, 8, 4 );
185
+
186
+ $key = md5( $this->get_site_id() . $pass_frag . '|' . $expiration );
187
+ $hash = hash_hmac( 'md5', $this->get_site_id() . '|' . $expiration, $key);
188
+
189
+ if ( $hmac != $hash ) {
190
+ do_action( 'password_protected_auth_cookie_bad_hash', $cookie_elements );
191
+ return false;
192
+ }
193
+
194
+ if ( $expiration < time() ) // AJAX/POST grace period set above
195
+ $GLOBALS['login_grace_period'] = 1;
196
+
197
+ return true;
198
+ }
199
+
200
+ /**
201
+ * Generate Auth Cookie
202
+ */
203
+ function generate_auth_cookie( $expiration, $scheme = 'auth' ) {
204
+ $pass = md5( get_option( 'password_protected_password' ) );
205
+ $pass_frag = substr( $pass, 8, 4 );
206
+
207
+ $key = md5( $this->get_site_id() . $pass_frag . '|' . $expiration );
208
+ $hash = hash_hmac( 'md5', $this->get_site_id() . '|' . $expiration, $key );
209
+ $cookie = $this->get_site_id() . '|' . $expiration . '|' . $hash;
210
+
211
+ return $cookie;
212
+ }
213
+
214
+ /**
215
+ * Parse Auth Cookie
216
+ */
217
+ function parse_auth_cookie( $cookie = '', $scheme = '' ) {
218
+ if ( empty( $cookie ) ) {
219
+ $cookie_name = $this->cookie_name();
220
+
221
+ if ( empty( $_COOKIE[$cookie_name] ) )
222
+ return false;
223
+ $cookie = $_COOKIE[$cookie_name];
224
+ }
225
+
226
+ $cookie_elements = explode( '|', $cookie );
227
+ if ( count( $cookie_elements ) != 3 )
228
+ return false;
229
+
230
+ list( $site_id, $expiration, $hmac ) = $cookie_elements;
231
+
232
+ return compact( 'site_id', 'expiration', 'hmac', 'scheme' );
233
+ }
234
+
235
+ /**
236
+ * Set Auth Cookie
237
+ * @todo
238
+ */
239
+ function set_auth_cookie( $remember = false, $secure = '') {
240
+ if ( $remember ) {
241
+ $expiration = $expire = time() + apply_filters( 'password_protected_auth_cookie_expiration', 1209600, $remember );
242
+ } else {
243
+ $expiration = time() + apply_filters( 'password_protected_auth_cookie_expiration', 172800, $remember );
244
+ $expire = 0;
245
+ }
246
+
247
+ if ( '' === $secure )
248
+ $secure = is_ssl();
249
+
250
+ $secure_password_protected_cookie = apply_filters( 'password_protected_secure_password_protected_cookie', false, $secure );
251
+ $password_protected_cookie = $this->generate_auth_cookie( $expiration, 'password_protected' );
252
+
253
+ setcookie( $this->cookie_name(), $password_protected_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
254
+ if ( COOKIEPATH != SITECOOKIEPATH )
255
+ setcookie( $this->cookie_name(), $password_protected_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
256
+ }
257
+
258
+ /**
259
+ * Clear Auth Cookie
260
+ */
261
+ function clear_auth_cookie() {
262
+ setcookie( $this->cookie_name(), ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN );
263
+ setcookie( $this->cookie_name(), ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN );
264
+ }
265
+
266
+ /**
267
+ * Cookie Name
268
+ */
269
+ function cookie_name() {
270
+ return $this->get_site_id() . '_password_protected_auth';
271
  }
272
 
273
  /**
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://www.benhuson.co.uk/donate/
4
  Tags: password, protect, password protect, login
5
  Requires at least: 3.0
6
  Tested up to: 3.3.1
7
- Stable tag: 1.1
8
 
9
  A very simple way to quickly password protect your WordPress site with a single password. Integrates seamlessly into your WordPress privacy settings.
10
 
@@ -52,10 +52,14 @@ If you can, please [fork the code](https://github.com/benhuson/password-protecte
52
 
53
  == Changelog ==
54
 
 
 
 
 
55
  = 1.1 =
56
 
57
  * Encrypt passwords in database.
58
 
59
  = 1.0 =
60
 
61
- * First Release. If you spot any bugs or issues please [log them here](https://github.com/benhuson/password-protected/issues).
4
  Tags: password, protect, password protect, login
5
  Requires at least: 3.0
6
  Tested up to: 3.3.1
7
+ Stable tag: 1.2
8
 
9
  A very simple way to quickly password protect your WordPress site with a single password. Integrates seamlessly into your WordPress privacy settings.
10
 
52
 
53
  == Changelog ==
54
 
55
+ = 1.2 =
56
+
57
+ * Use cookies instead of sessions.
58
+
59
  = 1.1 =
60
 
61
  * Encrypt passwords in database.
62
 
63
  = 1.0 =
64
 
65
+ * First Release. If you spot any bugs or issues please [log them here](https://github.com/benhuson/password-protected/issues).
theme/login.php CHANGED
@@ -118,6 +118,7 @@ do_action( 'password_protected_login_head' );
118
  <p class="submit">
119
  <input type="submit" name="wp-submit" id="wp-submit" class="button-primary" value="<?php esc_attr_e( 'Log In' ); ?>" tabindex="100" />
120
  <input type="hidden" name="testcookie" value="1" />
 
121
  </p>
122
  </form>
123
 
118
  <p class="submit">
119
  <input type="submit" name="wp-submit" id="wp-submit" class="button-primary" value="<?php esc_attr_e( 'Log In' ); ?>" tabindex="100" />
120
  <input type="hidden" name="testcookie" value="1" />
121
+ <input type="hidden" name="redirect_to" value="<?php echo $_REQUEST['redirect_to']; ?>" />
122
  </p>
123
  </form>
124