I thought of using a session instead, but that didn’t work out either. Unless I did it wrong.
Here is an example of what I mean. I included an md5 encoding of the password (there are many other options available). What happens is you POST the form, it encodes the password field, and redirects changing to a GET variable. From there you authenticate the GET variable.
If paypal redirects to ?password=HASH you should have a working script 
[php]
<?php $password = 'blahblahblah'; // this is the required password $token = 'YEja37guzeBARex6'; // this is a random token, it can be anything $valid_hash = md5($token . $password); // this is the md5 hash that must match // the password was encoded and passed to the url, let's verify that it matches $valid_hash if (isset($_GET['password'])) { if ($_GET['password'] == $valid_hash) { echo "The password is valid."; } else { exit("Incorrect Password."); } } // the form was submitted, let's enocde the password for $_GET else if (isset($_POST['password'])) { $password = md5($token . $_POST['password']); // encode the password header('Location: ' . $_SERVER['PHP_SELF'] . '?password=' . $password . ''); // use a header redirect to change $_POST to $_GET } ?> Password: [/php]That looks good, but… is there a simpler solution?
FYI - The page that asks for the password is an HTML document, then the form submits the info to a PHP document that verifies the password and displays the content (or not).
You might be able to use sessions but I’m not familiar with paypal. If you post the code you used with sessions there could be something wrong.
Here’s what I tried. Didn’t work. Then again I’m not really experienced with Sessions… or PHP for that matter.
[php]
if ($_POST[‘password’]==“blahblahblah”) {
session_start();
$_SESSION[‘verified’]=1;
}
if ($_SESSION[‘verified’]==1) {
Display content;
} else {
Display error message.
}
[/php]
That’s about all there is to it. A much simpler method would be to have an html page that you don’t directly link to. For example
[php]
if (isset($_POST[‘password’]) && $_POST[‘password’] == ‘blahblahblah’) {
// password is valid, redirect to secret html
header(‘Location: secret_page.html’);
}
else {
// redirect back to login
header(‘Location: login.html’);
}
[/php]
This should give paypal an HTTP_REFERER of the secret_page.html instead of the login.html
It is not as secure because secret_page.html could be accessed directly, but without actually linking to it no one would know the name of your html page. It could be “17e19c0f5b613c4d8e33a003c07b418f.html” for example.
Or maybe include a separate PHP file, and put the form on the PHP page instead of a separate HTML document?
[php]
if ($_POST[‘password’]==“blahblahblah”) {
include “protected_page.php”;
} else {
include “denied_message.php”;
}
[/php]
But I don’t know if that would solve the issue with PayPal.
Actually, there is a problem with your session code. session_start() needs to be above the if statement (it should always be the first line of your PHP file)
Because when paypal redirects back, the $_POST variable will not exist. So $_SESSION[‘verified’] will not exist since you only call session_start() on $_POST
The include would not work because you are still relying on a $_POST variable to be present. Paypal isn’t sending a POST
Doing that ruined the password verification.
With your HTML suggestion, would Google be able to index the secret page?
Doing what? Moving session_start() ??
Google bots can only follow links. So long as you never link to secret_page.html it will not be indexed.
Yes, that ruined the password verification.
I think I’ll go with your suggestion of re-directing to an HTML page(s). If the secret page has a static URL and one of the privileged few sees it, they can just book mark it and view it again in the future, without having to log in repeatedly; and sharing the URL would be no different than sharing the password, anyway.
…unless anyone else has a better solution?
Wait a minute: I have one page on my own website that isn’t linked from anywhere, but when I google my name and the name of the document it, shows up in the results. If I were to search for the name of the site and the exact title of the document, wouldn’t it show up in the results, in the same way?
Meaning, if someone were to search for “Name of site: page name” wouldn’t it show up?
I decided to try using cookies.
This is at the very top:
[php]if (isset($_POST[‘password’]) && $_POST[‘password’]==“dlady777”) {
setcookie(“loggedin”, “yes”, time()+3600);
}[/php]
Then the condition statement further down:
[php]if (isset($_COOKIE[‘loggedin’]) && $_COOKIE[‘loggedin’]==“yes”) {
Display content.
} else {
Display error message.
}[/php]
What happens now is the password isn’t accepted but the cookie is still set, so when I enter any random password after that it lets me through. On the positive side, this seems to solve the problem with PayPal.
What did I do wrong?
I see you marked this resolved. Did you figure it out? Without seeing your full code it’s hard to know where the problem is. Cookies and sessions should work the same.
Yup, I finally got it working. Here’s what I came up with.
At the top:
[php]session_start();
$id = session_id();
$password = “dlady777”;
if (isset($_POST[‘password’])) {
if ($_POST[‘password’] == $password) {
header('Location: ’ . $_SERVER[‘PHP_SELF’] . ‘?id=’ . $id . ‘’);
} else {
$verified = FALSE;
}
} else {
$verified = FALSE;
}
if (isset($_GET[‘id’])) {
if ($_GET[‘id’] == $id) {
$verified = TRUE;
} else {
$verified = FALSE;
}
}[/php]
And the condition statement:
[php]if ($verified == TRUE) {
Display content.
} else {
Display error message.
}[/php]
Thanks for your tips.
That is essentially the same as my first solution. Instead of using an encoded password string you are using the session_id.
As long as it works for you, great 
Well, with your suggestion the string was static, which meant anyone could access the page without having to put in a password, whereas now it only works for each individual in one specific browser session. I did work off of your suggestion though, so thanks.
True, but if you noticed how I added the “token”, that token could be the session_id. Something to think about