Link to home
Start Free TrialLog in
Avatar of 3rdLifeWebDev
3rdLifeWebDev

asked on

Password Protection

I need a simple script to allow password protection to enter a page:

Below is what I have started with:

In addition I need script to add checkbox:  "To remember password, check here"

I also need to be certain that the alert box will close if the password is incorrect.





var password;
var pass1 = "password"; // place password here
 
password=prompt("Please enter your password:","");
 
if (password==pass1) {
  window.location= "www.site.com/correct.htm"; // file to open if password is correct
} else {
  window.location= "www.site.com/incorrect.htm"; // file to load if password is incorrect
}
// End -->
</script>

Open in new window

Avatar of brad2575
brad2575
Flag of United States of America image

doing this in javascript is NOT SECRURE AT ALL.

I can just right click and view source and figure out your password.  You would want to use a scripting (server side) language such as ASP or PHP for password/login scripts.
Avatar of 3rdLifeWebDev
3rdLifeWebDev

ASKER

1)    This is not high security.

2)    When embedded in HTML page, the alert deactivates right click ability.

I was to keep this really simple.
You may not be able to right click but you can still go to View - Source.

I would create a login page, and have the ID/PW on that page, then on the page you want protected put this code above.

If the PW's equil then let them in, if not send them to the error page.

This should work and they will never be on the page with the PW in the code unless they logged in correctly.
One way you can do this is to obfuscate your javascript code.

This is a website doing this:
http://dean.edwards.name/packer/

Just copy paste your code into the textbox, and make sure you check the "Base62 encode" box.

I have attached the following html+obfuscated javascript code below generated from that site.

Please note that an experienced user can easily decode your obsfucated javascript. The most secured way doing a user validation is on the server side, which the user has restricted access to.
<html>
<head>
<script type="text/javascript">
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 0;1 2="0";0=9("a b c 0:","");d(0==2){3.4="5.6.7/e.8"}f{3.4="5.6.7/g.8"}',17,17,'password|var|pass1|window|location|www|site|com|htm|prompt|Please|enter|your|if|correct|else|incorrect'.split('|'),0,{}))
</script>
</head>
<body>
test
</body>
</html>

Open in new window

Can you direct me to the Javascript for the login page?

Also...the "Remember me" script?
the simplest solution (from a coding standpoint) would be to remove the authentication code from the web page and use the authentication provided by the web server to control access to the page. It makes your code simpler, and uses existing authentication mechanisms built in to the server instead of introducing yet another user space.

Other benefits? Easy to move to two-factor authentication. Web browsers  automatically retain password for the duration of the session, making subsequent authentication challenges invisible to the user...
Yes...and server has fromt page extensions and everytime I set password protection, there seems to be some error.

The ISP tells me that there are problems with the .htaccess file.

Tells me to remove server extensions and reinstall....yet when I do, the same denied access exists,.

I didn't realize it was hosted on an ISP. Other authentication methods may be unavailable anyway.

Here's a link to a bunch of javascript password scripts, with the above mentioned caveats about the near-total lack of security.

http://javascript.internet.com/passwords

Can you point me to script that will "remember me" on the password protected page? This page is low security, and I don't want the user to have to enter the password everytime his comes back to it.
ASKER CERTIFIED SOLUTION
Avatar of Hugh Fraser
Hugh Fraser
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Please review below.

Comments?
<script language="JavaScript">
 
    function getCookieVal (offset) {
    var endstr = document.cookie.indexOf (";", offset);
    if (endstr == -1)
    endstr = document.cookie.length;
    return unescape(document.cookie.substring(offset, endstr));
    }
 
    function GetCookie (name) {
    var arg = name + "=";
    var alen = arg.length;
    var clen = document.cookie.length;
    var i = 0;
    while (i < clen) {
    var j = i + alen;
    if (document.cookie.substring(i, j) == arg)
    return getCookieVal (j);
    i = document.cookie.indexOf(" ", i) + 1;
    if (i == 0) break; 
    }
    return null;
    }
 
    function SetCookie (name, value) {
    var argv = SetCookie.arguments;
    var argc = SetCookie.arguments.length;
    var expires = (argc > 2) ? argv[2] : null;
    var path = (argc > 3) ? argv[3] : null;
    var domain = (argc > 4) ? argv[4] : null;
    var secure = (argc > 5) ? argv[5] : false;
    document.cookie = name + "=" + escape (value) +
    ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
    ((path == null) ? "" : ("; path=" + path)) +
    ((domain == null) ? "" : ("; domain=" + domain)) +
    ((secure == true) ? "; secure" : "");
    }
 
    function DeleteCookie(name) {
    var exp = new Date();
    FixCookieDate (exp); 
    exp.setTime (exp.getTime() - 1); 
    var cval = GetCookie (name);
    if (cval != null)
    document.cookie = name + "=" + cval + "; expires=" + exp.toGMTString();
    }
 
    var d = GetCookie("de")
    var paswd = "password"
 
    if (d == paswd) {
    alert("Password confirmed!")
    location= "site.html"
    }
 
    if (d == null || d != paswd) {
    check_in()
    }
 
function check_in(){
var f = prompt("Enter password to proceed. [pass is 'password']","")
    var thenewdate = new Date ();
    thenewdate.setTime(thenewdate.getTime() + (365 * 24 * 3600 * 1000));
    SetCookie('de',f,thenewdate);
    var e = GetCookie('de');
    
    if (e == paswd) {
      alert("Password confirmed \n \n You will not have to enter in the password when you come back")
      location= "site.html"
      }
 
    else {
      alert("You have not entered the password correctly. \n \n Please try again.")
      location = "site/tryagain.html"
      // you could substitute the previous line with "history.back()"
      }
    }
 
</script>

Open in new window

Thanks for your help! I think that this will work well for me. I am only protecting one specific page for now, and this is really low security.