3rdLifeWebDev
asked on
Password Protection
I need a simple script to allow password protection to enter a page:
Below is what I have started with:
In addition I need script to add checkbox: "To remember password, check here"
I also need to be certain that the alert box will close if the password is incorrect.
Below is what I have started with:
In addition I need script to add checkbox: "To remember password, check here"
I also need to be certain that the alert box will close if the password is incorrect.
var password;
var pass1 = "password"; // place password here
password=prompt("Please enter your password:","");
if (password==pass1) {
window.location= "www.site.com/correct.htm"; // file to open if password is correct
} else {
window.location= "www.site.com/incorrect.htm"; // file to load if password is incorrect
}
// End -->
</script>
ASKER
1) This is not high security.
2) When embedded in HTML page, the alert deactivates right click ability.
I was to keep this really simple.
2) When embedded in HTML page, the alert deactivates right click ability.
I was to keep this really simple.
You may not be able to right click but you can still go to View - Source.
I would create a login page, and have the ID/PW on that page, then on the page you want protected put this code above.
If the PW's equil then let them in, if not send them to the error page.
This should work and they will never be on the page with the PW in the code unless they logged in correctly.
I would create a login page, and have the ID/PW on that page, then on the page you want protected put this code above.
If the PW's equil then let them in, if not send them to the error page.
This should work and they will never be on the page with the PW in the code unless they logged in correctly.
One way you can do this is to obfuscate your javascript code.
This is a website doing this:
http://dean.edwards.name/packer/
Just copy paste your code into the textbox, and make sure you check the "Base62 encode" box.
I have attached the following html+obfuscated javascript code below generated from that site.
Please note that an experienced user can easily decode your obsfucated javascript. The most secured way doing a user validation is on the server side, which the user has restricted access to.
This is a website doing this:
http://dean.edwards.name/packer/
Just copy paste your code into the textbox, and make sure you check the "Base62 encode" box.
I have attached the following html+obfuscated javascript code below generated from that site.
Please note that an experienced user can easily decode your obsfucated javascript. The most secured way doing a user validation is on the server side, which the user has restricted access to.
<html>
<head>
<script type="text/javascript">
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 0;1 2="0";0=9("a b c 0:","");d(0==2){3.4="5.6.7/e.8"}f{3.4="5.6.7/g.8"}',17,17,'password|var|pass1|window|location|www|site|com|htm|prompt|Please|enter|your|if|correct|else|incorrect'.split('|'),0,{}))
</script>
</head>
<body>
test
</body>
</html>
ASKER
Can you direct me to the Javascript for the login page?
Also...the "Remember me" script?
Also...the "Remember me" script?
the simplest solution (from a coding standpoint) would be to remove the authentication code from the web page and use the authentication provided by the web server to control access to the page. It makes your code simpler, and uses existing authentication mechanisms built in to the server instead of introducing yet another user space.
Other benefits? Easy to move to two-factor authentication. Web browsers automatically retain password for the duration of the session, making subsequent authentication challenges invisible to the user...
Other benefits? Easy to move to two-factor authentication. Web browsers automatically retain password for the duration of the session, making subsequent authentication challenges invisible to the user...
ASKER
Yes...and server has fromt page extensions and everytime I set password protection, there seems to be some error.
The ISP tells me that there are problems with the .htaccess file.
Tells me to remove server extensions and reinstall....yet when I do, the same denied access exists,.
The ISP tells me that there are problems with the .htaccess file.
Tells me to remove server extensions and reinstall....yet when I do, the same denied access exists,.
I didn't realize it was hosted on an ISP. Other authentication methods may be unavailable anyway.
Here's a link to a bunch of javascript password scripts, with the above mentioned caveats about the near-total lack of security.
http://javascript.internet.com/passwords
Here's a link to a bunch of javascript password scripts, with the above mentioned caveats about the near-total lack of security.
http://javascript.internet.com/passwords
ASKER
Can you point me to script that will "remember me" on the password protected page? This page is low security, and I don't want the user to have to enter the password everytime his comes back to it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please review below.
Comments?
Comments?
<script language="JavaScript">
function getCookieVal (offset) {
var endstr = document.cookie.indexOf (";", offset);
if (endstr == -1)
endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}
function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg)
return getCookieVal (j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
function DeleteCookie(name) {
var exp = new Date();
FixCookieDate (exp);
exp.setTime (exp.getTime() - 1);
var cval = GetCookie (name);
if (cval != null)
document.cookie = name + "=" + cval + "; expires=" + exp.toGMTString();
}
var d = GetCookie("de")
var paswd = "password"
if (d == paswd) {
alert("Password confirmed!")
location= "site.html"
}
if (d == null || d != paswd) {
check_in()
}
function check_in(){
var f = prompt("Enter password to proceed. [pass is 'password']","")
var thenewdate = new Date ();
thenewdate.setTime(thenewdate.getTime() + (365 * 24 * 3600 * 1000));
SetCookie('de',f,thenewdate);
var e = GetCookie('de');
if (e == paswd) {
alert("Password confirmed \n \n You will not have to enter in the password when you come back")
location= "site.html"
}
else {
alert("You have not entered the password correctly. \n \n Please try again.")
location = "site/tryagain.html"
// you could substitute the previous line with "history.back()"
}
}
</script>
ASKER
Thanks for your help! I think that this will work well for me. I am only protecting one specific page for now, and this is really low security.
I can just right click and view source and figure out your password. You would want to use a scripting (server side) language such as ASP or PHP for password/login scripts.