By Stephen Bucaro
If you want to restrict access to your website to only members or subscribers, how can you
implement password protection? If you own the server, or if your web host provider allows, you
can use the servers built-in security features. If your Web host provider allows you to run custom
scripts, you can use a php or asp script to implement password protection.
But what if you're using a free host or a pay host that does not allow custom scripts? You
protection. Cookies are unreliable because the users browser cookie cache can hold only a limited
number of cookies. When the cookie cache fills up, and new cookies are created, the oldest
cookies in the cache are deleted.
So when the user leaves your website, and the other websites that they visit dump a load of
cookies in their browser's cookie cache, your login cookie will be deleted. If the user returns to your
website, they'll need to login again.
The cookie cache can hold only a limited number of cookies for each domain. So if you have
a bunch of affiliate scripts and advertising banners on your website, they'll dump a load of cookies
in the cookie cache and your access cookie may be deleted. Your visitor will lose access and need
to login again.
And to top things off, for security reasons, some people may have disabled cookies in their
will not be protected.
Sophisticated web users can select "View Source" in their browser's menu and view the link
in the "include" file. Knowing the path to the include file allows them to view the password. In
fact, if they select File | Save As... in their browser's menu, they can download the entire
For these reasons, this method should NOT be used for anything that absolutely MUST be
password protected. The only sure method of password protection is to use the servers built-in
security features (e.g. configure a password protected folder), or use server-side scripts.
in their browser would not have a very good browsing experience. And, most users are not
So if you're using a web host that does not allow custom scripts, and you don't want to
have to deal with server-side programming, and what you're protecting is not personal information
of password protection may be good enough.