allow or deny access to a PHP application based on if a $_GET or $_COOKIE is set


License: GPL-2.0

Language: PHP

Developer Access https://github.com/alexgoretoy/developer_access

Allow or Deny access to a PHP Application based on if there is a $_GET or $_COOKIE variable set. Developer Access is a authentication/authorization system for PHP applications that are in development stages and are not for public view. You can also use dev acc as a main authentication for some pages, but I wouldn't keep it as a main source of authentication/authorization. It is only another layer to pertect your applications with.

Future Features:

  • Ssh Keys Authentication/Authorization
  • Multi-Factor Device Authorization/Authentication

Any and all feedback, bug fixes and feature requests are welcome. Thank you for using Developer Access.


  • Lock down a application to a key value pair access token
  • Set length in time of session
  • Limit amount of requests made with a valid access token
  • Restrict access to allowed hosts/ips on top of access token
  • Restrict to dns records matches
  • Add a secondary password, HTTP_AUTH on top of access token
  • Add, remove, clear all active access tokens


v0.2.6 : Jan. 31, 2010

  • Added a type check in the access giving section get_the_post() and added 'ctype' to 'allowed_post' array
  • Added Version number in config file so to know what version of dev acc it belongs to in future

v0.2.5 : Jan. 12, 2010

  • Removed is_numeric check from da_update(filename); updating works, make sure apache user can read and write to Developer_Access.php

v0.2.4 : Jan. 12, 2010

  • Changed undefined constant DEFAULT_DOMAIN in http_host() $default_domain; http_host(default_domain)

v0.2.3 : Jan. 12, 2010

  • Added VERSION on top of Developer_Access.php, to allow for updates to new version from github
  • Added not_authenticated(realm, type, message)
  • Added da_update() to allow for updates to current version that is on github, this is manual update, not automatic
  • Added Update Developer Access anchor at bottom of footer
  • Added update section to check if a get was sent, if sent then do update of dev acc
  • Added log_time_format to control how the time is formatted in the log file
  • Removed is_writable check in new_access_store() so it will just try to create the file, other sections will confirm

v0.2.2 : Jan. 12, 2010

  • Tested everything, DNS type and value have some bug(access not allowed, will fix later), but everything else works as expected
  • Removed echo $gop statement from delete section, it already echos what it deletes; that was during testing.
  • Made it so that calculate length affects quick add length
  • Placed calculate length inputs into a html table and added table header
  • Made quick add button float to the right

v0.2.1 : Jan, 12 2010

  • Added ctype_alnum() check when generating passwd
  • Added is_writable check when adding a new access token
  • Added is_access_readable() check to monkey_dance(user)
  • DNS and Second password still not thoroughly tested, I dont need it yet personally, just paving the way
  • Fixed delete feature, forgot to move the get_or_post() in to 0.2.0a from 0.1.3, and 0.2.0a started from 0.1.2
  • Added delete link next to each token in the table, now you can remove by submit form with name or by clicking anchor
  • Added to show valid access table after delete
  • Added a quick add button, so you dont have to scroll down to submit a empty form to get a random 1 hour token

v0.2.0a : Jan, 12, 2010

  • Unset out of program/logic scope variables, cleaned up some code and added some comments
  • Allowed_ips(CSV), allowed hosts(CSV), allowed dns records(by type and value), store user that gave access
  • moved styling to <style> tag, instead of inline styles
  • Added index 'cookie_domain' to $access_config array, this holds the domain to set token cookies to
  • Added is_access_readable() to check if $access_config['access_store'] file is readable
  • Modified new_access_store() to also echo somefile created
  • Renamed print_data_table() to output_table()
  • Added $access_config['constant_name'] which sets a constant with teh token string to use inside protected app
  • Changed $var != '' to !empty($var) ;which leaves != 'production' and != 'none', hehe)
  • Removed params to functions that use vars defined in $this
  • Added $access_config['allowed_post'] array, it holds all the form fields names and default values
  • Moved token time check after having verified the name and value of the token
  • I haven't thoroughly tested the dns feature yet, should work though

v0.1.3 : Jan. 11, 2010

  • Added checks if file exists and is readable also added function to create new storage file
  • Minor fixes, mostly focused on next major version
  • Added token_link() anchor next to each access session
  • Added get_or_post()
  • works better than before

v0.1.2 : Jan. 10, 2010

  • Added a config file developer_access_config.php that goes below public_html/ and connected config variables
  • Renamed Developer_Access constant to DEVELOPER_ACCESS for easier to read
  • Removed a good amount of constants due to config file
  • Moved log_action() inside of Developer_Access class
  • Moved show portion into print_data_table()
  • Defined private monkey_dance() to break up the give_access code
  • Defined private get_the_post() it gets the post data for give_access
  • Defined private give_me_banana() it checks for name and created time in data; found? show found link and print all, not found? give access show link and print all
  • Tested - not thoroughly but seems to be working like before. tired, gn world

v0.1.1 : Jan. 10, 2010

  • Changed call for hash_string undefined function to rand_string
  • Added example.html file to show a working example on top of index.php
  • Added $deny_url, $tokens, $log_type and $access_store to allow_deny()
  • Added show all and delete session by name
  • Added $app, $tokens and $access_store to give_access()
  • Plus alot more stuff, check the diffs if you must know

v0.1 : Jan. 10, 2010

  • Created project (initial project commit)


  • GNU/GPLv2 - see LICENSE file


Developer_Access.php is designed to be placed below your public_html/ folder and included in your main application. What it does is checks to see if a get or cookie variable is set, if it is and it matches with the allowed access in the access store then show the user the application. if not match is found, then the user is redirected to the deny_url, logging all access attempts to a log file.


CODE TESTED, works great;Runs smoothly on http://developer-access.com and my server. I plan on making it more OO and breaking the functions up and stuff as I need it. Please contribute code, ideas or resources. I plan on branching out the directory later to: php, node, python; ATM, it's only php.

To Run your App with Developer Access, you first need to setup a .htpasswd file, otherwise you will get a 401 Unauthorized:

htpasswd -c .htpasswd test
New password: 
Re-type new password: 
Adding password for user test

You can also place this into your .htaccess file if your really paranoid about security like I am. AuthUserFile /path/to/.htpasswd AuthType Basic AuthName "Developer Access" <Files "Developer_Access.php"> Require valid-user

There are two separate senarios that we must take into consideration:

  1. the place to give,remove access
  2. the place to check if there is access and deny or allow access to the application

##The place to give and/or remove access public_html/give_access.php:

  1. http_authentication protected file that reads .htpasswd file, 401 Unauthorized if no .htpasswd file or fail to authenticate.

  2. checks if $_GET['set'] variable is set, ask for authentication, 404 Not Found otherwise.

  3. show form to give access based on name, value and other parameters

  4. create array and store it on the file system to check access to main application

  5. allow to clear all access tokens

    $cf = '../developer_access_config.php'; require_once $cf;

    //include the main file, create object, allow/deny, load application require_once $access_config['access_base'];

    $da = new Developer_Access($cf); $da->give_access();

The place to check if user has access to the application public_html/index.php:

  • check if $_GET variable is set, create cookie, deny access otherwise.

    $cf = '../developer_access_config.php'; require_once $cf;

    //include the main file, create object, allow/deny, load application require_once $access_config['access_base'];

    $da = new Developer_Access($cf);

    $da = new Developer_Access(); $da->allow_deny();

    //include your application code and profit require_once '../MY_BIG_FAT_APP_OR_WHATEVER.php';

Known Bugs:

  • Delete a token by name in version 0.2.0a doesn't seem to work(fixed)


  • alex goretoy me alex@goretoy.com
  • you, for taking the time to check it out and/or using developer access; please donate resources or bug fixes.

Project Statistics

Sourcerank 5
Repository Size 176 KB
Stars 4
Forks 0
Watchers 1
Open issues 0
Dependencies 0
Contributors 1
Tags 0
Last updated
Last pushed

Top Contributors See all

Alex Goretoy

Something wrong with this page? Make a suggestion

Last synced: 2018-06-16 13:28:44 UTC

Login to resync this repository