dl090597
asked on
Password Dialog
I would like to display a password dialog, similar to the one displayed when you log onto Experts Exchange. Can this be done in JavaScript.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There have been half a dozen discussions about this and what you can do to "hide" the password!!!! Maybe it's best to invest some points into the PAQs....
One simple yet effective technique is to "garble" the word that is entered in some way (s.th. very simple) and then set document.location=garbledw
As long as you have an "index" or "default" file that keeps people from looking at your directory, that makes it extremely hard to find the next page without knowing a valid password and you can't find the password in the code either.
Even more effective is passing the password to a CGI-script that checks it and (maybe) generates a page. Of course most people don't have access to CGI, but I think that even less people can use .htaccess.
.htaccess is definitely the most effective way, but if you can't use it, there are several ways to make it work ok in JavaScript...
One simple yet effective technique is to "garble" the word that is entered in some way (s.th. very simple) and then set document.location=garbledw
As long as you have an "index" or "default" file that keeps people from looking at your directory, that makes it extremely hard to find the next page without knowing a valid password and you can't find the password in the code either.
Even more effective is passing the password to a CGI-script that checks it and (maybe) generates a page. Of course most people don't have access to CGI, but I think that even less people can use .htaccess.
.htaccess is definitely the most effective way, but if you can't use it, there are several ways to make it work ok in JavaScript...
Another way to increase the hack resistance of Christian_Wenz's script,
(unless it already does this, I haven't seen it yet)
may be not to hard code the password into the script, and instead
send a different hash of it on every invocation. This would require
a CGI on the otherside to generate a different JavaScript each time,
And you still need a good hash and a secure way of seeding it.
(unless it already does this, I haven't seen it yet)
may be not to hard code the password into the script, and instead
send a different hash of it on every invocation. This would require
a CGI on the otherside to generate a different JavaScript each time,
And you still need a good hash and a secure way of seeding it.
I was assuming that dl has no CGI access; but Holger's right, there are really some questions of the same type.
BTW, hi ozo, nice to read you again! :-)
BTW, hi ozo, nice to read you again! :-)
The trick is hoping that they don't check your page's source code. You can do some things that would make it rather painful to check your code, like putting all the code that generated your page on 1 line, putting in bogus scripts that don't do anything except make your code more difficult to read, etc. However the person can save your page to their hard drive and load it in an editor where they can add paragraph marks to make it more readable. Hence finding your password.