fovl
asked on
HTML Password
I'm looking for a way to require a password to enter a web site. The same password can be used by everybody. It does not have to be very secure, just enough to keep out the curious. I would prefer something in HTML that doesn't requre any server intervention, and something that works with both Netscape and IE.
Microsoft's Front Page do this with a very simple way
You can give permissions for the Root web or for its children webs. Every user with his own password ...
You can give permissions for the Root web or for its children webs. Every user with his own password ...
Descent security can be achieved through encrypted URLs. F.ex.,
use encrypted password as directory name - as long as directory
listing is prohibited (appropriate index.html or whatever your
server requires), it works like basic HTTP authentication, only
instead of 401's "curious" ones will get 404's.
Encryption can be done in JavaScript - I've TEA cipher written
in JavaScript and complete code of access control page - works
with both Netscape and IE - available just for asking :)
use encrypted password as directory name - as long as directory
listing is prohibited (appropriate index.html or whatever your
server requires), it works like basic HTTP authentication, only
instead of 401's "curious" ones will get 404's.
Encryption can be done in JavaScript - I've TEA cipher written
in JavaScript and complete code of access control page - works
with both Netscape and IE - available just for asking :)
I agreed with garik and jshamlin there is 2 solutions: dynamic documents ( javascript, vbscript, etc ) or server side mechanism.
Some people still forget the point: HTML is a "presentation" language not a programming language.
Some people still forget the point: HTML is a "presentation" language not a programming language.
I would only suggest the use of CGI script,
Its secure (in a sence), and fast and the easiest.
It is possible with Javascript.
I can currently think of one way to do it.
If you write it into Javascript, meaning in your HTML page,
common users may be able to view document source and find out the password, from the script.
So finally to say, CGI is the most advisable.
Its secure (in a sence), and fast and the easiest.
It is possible with Javascript.
I can currently think of one way to do it.
If you write it into Javascript, meaning in your HTML page,
common users may be able to view document source and find out the password, from the script.
So finally to say, CGI is the most advisable.
If you are wise and turn over to the server: with Apache the use of authentication is really very simple by using a .htaccess file with associated passwd (and group) file.
If the JavaScript were to, let's say, close the browser if the wrong password is entered, Wouldn't that stop viewing of the source? The opportunity would not be present onload because the password screen would come up right away. If the wrong one's entered, it's gone, leaving no viewing time!
Yes, I agree with joesixpack, an .htaccess file is the best way to go. If you have the server working for you, then it decides whether or not to serve the page. Assuming you are using APACHE, it is a top notch web server that you will do well by. The .htaccess file is trivial to make, if you have questions, you can refer them to your site administrator.
deeto: that wont work. What if someone disables JavaScript, downloads the page and selects 'view source'? :-)
You're right. My bad!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good summary, ed :)
ASKER
At last it looks like somebody read my original post. Thanks for the straight forward answer.
Hey, check this web site:
http://www.geocities.com/~osawashdc/member.htm
This was created (by me) with a JavaScript and as you can see nobody is able to see (jack) my password.
If you would like to know how to do that I would be more than happy to help you.
monge@bigfoot.com
http://www.geocities.com/~osawashdc/member.htm
This was created (by me) with a JavaScript and as you can see nobody is able to see (jack) my password.
If you would like to know how to do that I would be more than happy to help you.
monge@bigfoot.com
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use part of URL as a password, f.ex. password "secret" could give your users access to http://www.your.com/secret.html or to the whole directory http://www.your.com/secret/files.html
Proper URL can be formed using JavaScript and will work in both NS and IE.
As long as directory listing is either prohibited or is covered by the proper index.html or whatever your Web server requires, this solution is as secure as the basic authentication mentioned in Christian's answer.
Let me know if you need more details.
Proper URL can be formed using JavaScript and will work in both NS and IE.
As long as directory listing is either prohibited or is covered by the proper index.html or whatever your Web server requires, this solution is as secure as the basic authentication mentioned in Christian's answer.
Let me know if you need more details.
hi garik, that's just the alternative I hinted at with "...but you can use JavaScript..." :-)
but you are right, the "security factor" of this is quite as high.
However, it is very easy to exclude a (former) user from the secret .htaccess protected directory: remove his name/password from the list! if you want to exclude somone from a JS-protected directory/file, you have to give out new passwords to everyone else...
but you are right, the "security factor" of this is quite as high.
However, it is very easy to exclude a (former) user from the secret .htaccess protected directory: remove his name/password from the list! if you want to exclude somone from a JS-protected directory/file, you have to give out new passwords to everyone else...
hi garik, that's just the alternative I hinted at with "...but you can use JavaScript..." :-)
but you are right, the "security factor" of this is quite as high.
However, it is very easy to exclude a (former) user from the secret .htaccess protected directory: remove his name/password from the list! if you want to exclude somone from a JS-protected directory/file, you have to give out new passwords to everyone else...
but you are right, the "security factor" of this is quite as high.
However, it is very easy to exclude a (former) user from the secret .htaccess protected directory: remove his name/password from the list! if you want to exclude somone from a JS-protected directory/file, you have to give out new passwords to everyone else...
Or don't CGI-scripts count as 'server intervention'?