Give visitor access to password protected page/post via external script in WordPress

Overview:
On my site I want to do a customer area. There is a form where the visitor enters a name (e.g. “event_xyz”) and a password. Only some well informed circles (participants of the event xyz who want to download some files) will know the access data.
By submitting, the visitor is redirected to a pp-redirect.php which should set the cookie to access the specific site the visitor wants to access – $_POST[‘name’] equals the post’s slug.

I found this script to set that cookie and tried to solute my problem like this:

global $wp_hasher;
if ( empty( $wp_hasher ) ) {
    require_once( ABSPATH . 'wp-includes/class-phpass.php' );
    $wp_hasher = new PasswordHash(8, true);
}

setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['pw'] ) ), 0, COOKIEPATH );

wp_safe_redirect( "http://www.domain.com/wordpress/".$_POST['name'] );
exit();

But this shows me the error that in this file and in wp-includes/pluggable.php the headers were already sent. I also don’t know how the script, which is taken from the wp-login.php?action=postpass, knows which site I want to access.
Any solutions?

Post Views: 2

2 comments

Finally, I found the solution:

form.php

<form action="<?php echo bloginfo('template_directory'); ?>/pp-redirect.php" method="post">
Event: <input name="event" type="text" size="25" /><br />
Passwort: <input name="post_password" type="password" size="25" /><br />
<input name="submit" type="submit" value="Los" />
</form>

pp-redirect.php

<?php
/** Make sure that the WordPress bootstrap has run before continuing. */
require( dirname(__FILE__) . './../../../wp-load.php');
global $wp_hasher;
if ( empty( $wp_hasher ) ) {
    require_once( ABSPATH . 'wp-includes/class-phpass.php' );
    $wp_hasher = new PasswordHash(8, true);
}
if ( get_magic_quotes_gpc() )
    $_POST['post_password'] = stripslashes($_POST['post_password']);

// Expires when the browser shuts down
setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), 0, COOKIEPATH );

wp_safe_redirect( get_bloginfo('url') . "/" . $_POST['event'] );
?>

Greets!

You will need to hook that code so that it runs before any data is sent to the browser.

function remote_login_wpse_104911() {
  global $wp_hasher;
  if ( empty( $wp_hasher ) ) {
    require_once( ABSPATH . 'wp-includes/class-phpass.php' );
    $wp_hasher = new PasswordHash(8, true);
  }

  setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['pw'] ) ), 0, COOKIEPATH );

  wp_safe_redirect( "http://www.domain.com/wordpress/".$_POST['name'] );
}
add_action('template_include','remote_login_wpse_104911');

That is completely untested. I don’t have all the information I’d need to test it if I want to. 🙂 You will almost certainly have to modify that to work in the new context. But that is the idea.

Comments are closed.

Related posts

2 comments

Social Network