xstitchrf
asked on
Password protection of pages
I want to protect certain pages of my site for family members only. I've tried on my own and could not figure it out. I just want a simple pop up window that asks user name and password when a page link is clicked. What steps do I take?
Theres a free download of a working password protection system here:
http://www.powerasp.com/content/code-snippets/advanced-password-protection.asp
http://www.powerasp.com/content/code-snippets/advanced-password-protection.asp
To simply password protect ONE page you can use something like the following :
--------------------------
<% Response.Buffer = True %>
<% STATUS = Request("STATUS") %>
<% PASSWORD = Request("PASSWORD") %>
<% If STATUS = "CHECKEM" Then %>
<% If PASSWORD = "sample" THEN %>
<% Session("PASSWORDACCESS") = "Yes" %>
<% End If %>
<% End If %>
<% If Session("PASSWORDACCESS") <> "Yes" Then %>
<HTML>
<BODY bgcolor="#FFFFFF">
<form method="POST" action="thispage.asp">
<div align="center"><center><p>
<input type="hidden" value="CHECKEM" Name="STATUS" >
<input type="submit" value="Login"></p>
</center></div>
</form>
</BODY>
</HTML>
<% Response.End %>
<% End If %>
In this case the password is 'simple' and is stored as a session variable - so they don't need to continually enter the password.
You can optionally 'Response.redirect' an unauthorised person to another page.
Most users wont be able to browse your ASP cose, so they won't see the password text. Fort added security you could encrypt the page with the Windows Script Encoder.
--------------------------
<% Response.Buffer = True %>
<% STATUS = Request("STATUS") %>
<% PASSWORD = Request("PASSWORD") %>
<% If STATUS = "CHECKEM" Then %>
<% If PASSWORD = "sample" THEN %>
<% Session("PASSWORDACCESS") = "Yes" %>
<% End If %>
<% End If %>
<% If Session("PASSWORDACCESS") <> "Yes" Then %>
<HTML>
<BODY bgcolor="#FFFFFF">
<form method="POST" action="thispage.asp">
<div align="center"><center><p>
<input type="hidden" value="CHECKEM" Name="STATUS" >
<input type="submit" value="Login"></p>
</center></div>
</form>
</BODY>
</HTML>
<% Response.End %>
<% End If %>
In this case the password is 'simple' and is stored as a session variable - so they don't need to continually enter the password.
You can optionally 'Response.redirect' an unauthorised person to another page.
Most users wont be able to browse your ASP cose, so they won't see the password text. Fort added security you could encrypt the page with the Windows Script Encoder.
ASKER
thanks guys.... this helps a lot
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I know this is not a "high level" security question, but, right click, view source, read the username and password, and you are in. Why bother?
If using the prompt prevents immediate access, turn off JavaScript temporarily.
Password protection via client side JavaScript is virtually worthless.
Tom
If using the prompt prevents immediate access, turn off JavaScript temporarily.
Password protection via client side JavaScript is virtually worthless.
Tom
You have got to get to the page before you can view the password.
So what's to stop me from disbling JavaScript and reading the password and user ID from the page?
This is new for me. How do you disable JavaScript?
Any user can disable Javascript in their browser but thats not the issue here.
Quite simply, the accepted answer is not a good solution as the actual password is easily revealed by anyone with access to the source of the page.
Since the JavaScript is on the client side, there is no way of hiding it.
If you don't have server side tools, you will need to use a Java password applet such as that available from CoffeeCup.
Quite simply, the accepted answer is not a good solution as the actual password is easily revealed by anyone with access to the source of the page.
Since the JavaScript is on the client side, there is no way of hiding it.
If you don't have server side tools, you will need to use a Java password applet such as that available from CoffeeCup.
In Navigator, Edit, Preferences, Advanced allows you to enable or disable JavaScript in web pages or news and mail items.
Haven't checked it out on IE, but I suspect if you disable active scripting under Tools, Internet Options, that might do it. Seems to work for me. I'd be REALLY surprised if there were not a way.
Tom
Haven't checked it out on IE, but I suspect if you disable active scripting under Tools, Internet Options, that might do it. Seems to work for me. I'd be REALLY surprised if there were not a way.
Tom
I think DocA's thought was that you could not access the page source because of the use of the JavaScript prompt.
That makes the issue of disabling JavaScript germane, although I agree, the crux of the matter is that you can't hide the password if it is passed to the client browser. One way or another, a user can get it.
Tom
That makes the issue of disabling JavaScript germane, although I agree, the crux of the matter is that you can't hide the password if it is passed to the client browser. One way or another, a user can get it.
Tom
DocA - if you don't believe us please publish a page using your method, and we'll see if we can access yur passwrd and the page contents :>
I am strictly IntraNet and cannot publish to the WWW. I can't locate anywhere on IE where you can disable JavaScript. Anyone?
When I tried yesterday, disabling Active Scripting in Internet Explorer seemed to kill my JavaScript.
Instructions above.
NOTE: It does NOT specifically indicate JavaScript, so this will disable all versions of Active Scripting.
Tom
Instructions above.
NOTE: It does NOT specifically indicate JavaScript, so this will disable all versions of Active Scripting.
Tom
I disabled Active Scripting and, like you TTom, no scripting would work. I guess in IE the JavaScript passwords are still secure.
That's the point! If you disable Active Scripting, the page content should load without requesting the password or user name and without redirecting for incorrect entries. The code (along with the user ID and password) will be available to any user who wants it.
Trust me, JavaScript passwords are NOT secure!
Tom
Trust me, JavaScript passwords are NOT secure!
Tom
ASKER
I have to admit, I'm not sure about anything. I'm very new to web page building. I've tried some previous suggestions and could not get them to work properly for me. I don't know what I'm doing wrong, so I'm admitting defeat. Thanks to everyone who tried to help me. I guess I need one on one help.
TTom, I disabled Active Scripting, reloaded IE, and then did a file open browse to get my htm page. Then I clicked on the page with the password and it would not load without a password.
I can't even get to my htm page via our home page because Active Scripting is disabled, therefore the file open method was used. I even went through Explorer and double clicked on the htm page to invoke it and still could not bypass the password.
xstitchrf: I looked at ossie's October 5 response with the link to the password site. This is very complex but I am going to give it a try but first must seek advise from our Intranet Team that maintain the server. Last time I tried something like this, I took the whole server down!
Thanks all. I learned something out of this.
I can't even get to my htm page via our home page because Active Scripting is disabled, therefore the file open method was used. I even went through Explorer and double clicked on the htm page to invoke it and still could not bypass the password.
xstitchrf: I looked at ossie's October 5 response with the link to the password site. This is very complex but I am going to give it a try but first must seek advise from our Intranet Team that maintain the server. Last time I tried something like this, I took the whole server down!
Thanks all. I learned something out of this.
ASKER
Thanks DocA, appreciate it.
DocA:
I just tried this.
I copied the script you provided above into an HTML document and saved it to my local server.
I accessed the page, and it (properly) requested my username and password, which I entered. The page functioned properly.
(Using IE 5.5) I then went to Tools, Internet Options, Security and disabled Active Scripting.
When I returned to try my page, the content loaded without asking me for my username or password.
The reason you were "successful" is that IE's security settings are only applied to web access. Opening a file directly will not be impacted by internet security settings. In this case, JavaScript (and Active Scripting) will not be disabled.
Just for "fun", I set the Active Scripting to "Prompt", closed the browser and reopened it. When I went to the page, it asked me if I wanted to run scripts (twice). I answered "No" each time, and the page loaded with all the content and source available.
If you are interested in pursuing this further, try applying this setting to your home page. Allow the scripts to run to load your content and then navigate to your "test" page. When you get there, reply "No" to allowing scripts to run. I am confident you will be able to get to your page content bypassing your JavaScript security!
So far as I can tell, that indicates clearly that your method is completely vulnerable to anyone more than a casual user. That may not be a critical issue in an intranet environment, but on the web...
Sorry, but that's the way it is.
Tom
I just tried this.
I copied the script you provided above into an HTML document and saved it to my local server.
I accessed the page, and it (properly) requested my username and password, which I entered. The page functioned properly.
(Using IE 5.5) I then went to Tools, Internet Options, Security and disabled Active Scripting.
When I returned to try my page, the content loaded without asking me for my username or password.
The reason you were "successful" is that IE's security settings are only applied to web access. Opening a file directly will not be impacted by internet security settings. In this case, JavaScript (and Active Scripting) will not be disabled.
Just for "fun", I set the Active Scripting to "Prompt", closed the browser and reopened it. When I went to the page, it asked me if I wanted to run scripts (twice). I answered "No" each time, and the page loaded with all the content and source available.
If you are interested in pursuing this further, try applying this setting to your home page. Allow the scripts to run to load your content and then navigate to your "test" page. When you get there, reply "No" to allowing scripts to run. I am confident you will be able to get to your page content bypassing your JavaScript security!
So far as I can tell, that indicates clearly that your method is completely vulnerable to anyone more than a casual user. That may not be a critical issue in an intranet environment, but on the web...
Sorry, but that's the way it is.
Tom
TTom. Interesting. Thanks.
TTom. I have tested this. If a link goes from one page directly to another page that houses the password code, then it does open. I do have a script set up that uses functions and looks at a password htm and continues from there to the htm page if the password is successfully set up that you cannot bypass. It looks like explorer just throws itself into a continual loop and never quits running.
<SCRIPT language="JavaScript">
<!--
function one()
{
window.open('US/password.h
}
//-->
</SCRIPT>
At the bottom of the page in the body, the link looks at JavaScript: one(),
*************
Interesting, huh? I bet it's looping between the JavaScript: one() and the function one().
*************
<SCRIPT language="JavaScript">
<!--
function one()
{
window.open('US/password.h
}
//-->
</SCRIPT>
At the bottom of the page in the body, the link looks at JavaScript: one(),
*************
Interesting, huh? I bet it's looping between the JavaScript: one() and the function one().
*************
ps: For high security issues, do not use the JavaScript.
That's the key!
The UNIX/Apache environment uses a file called .htaccess to control access to directories.
In an NT/IIS environment, you can use NTFS authentication or you can use ASP and a database.
I believe FP also has options for controlling the security on web sites, but I am not sure about how specific you can get. It IS available for subwebs of the root (in FP2000). I do know that this is NOT available for a site hosted on PWS. Check the documentation for "permissions" and look under Tools, Security, Permissions. This option will be grayed out if it is not available.
You may need to provide some more information.
Tom