Help setting up users/password protected pages

@kw2102Apr 05.2008

Hello, I am trying to set up user authentication and password protected pages on my site but im not sure if it’s working… the user login part works and it takes each one to the correct page, but why are these pages accessible if i enter them directly in my browser? Is there a way to prompt someone for a password before they can view the page if they try to go straight to the page instead of logging in???

to post a comment

JavaScript

17 Comments(s) _↴

@Declan1991Apr 05.2008 — #Javascript cannot be used as a password protect, because it is client side, and anyone with the slightest bit of programming knowledge could see the passwords. It has to be client-side.

@Jeff_MottApr 05.2008 — #Javascript cannot be used as a password protect, because it is client side, and anyone with the slightest bit of programming knowledge could see the passwords. It has to be client-side.[/QUOTE]

Never say never. ?

http://www.webdeveloper.com/forum/showthread.php?p=734575#post734575

@FangApr 05.2008 — #... but why are these pages accessible if i enter them directly in my browser? ...[/QUOTE]This will always be the case unless you use a server side solution.

@Jeff_MottApr 05.2008 — #This will always be the case unless you use a server side solution.[/QUOTE]

Nuh-uh. :p

http://www.webdeveloper.com/forum/showthread.php?p=734575#post734575

More than a year later, the JS password protection on the other side of that link still hasn't been broken.

@Angry_Black_ManApr 05.2008 — #funny how you revel in the fact that you (or someone) ported sha1 encryption to javascript, but you havent answered the question at hand. where is the version of that script you posted (of which is useless to bring it up if you cant apply it to the overall context of this thread instead of dissasembling subcontexts to try and point this at) which the user can use to password protect a webpage? and once that webpage is gotten to, cypher or not, it isnt secure. [I]the means of accessing it through your script is, but thats as far as it goes[/I]. anyone can still bring up that page with the URL if the cypher was broken (or properly utilized). if youre passing the page back as innerHTML, thats nothing more than a mask. the webpage is still unsecure UNLESS you have a server side resource sitting there checking sessions. all youve done is built a mansion on top of lava. it looks nice, but the underlying problem remains.

and if you have to build the webpage into the cypher, thats more trouble than its worth.

@Jeff_MottApr 05.2008 — #funny how you revel in the fact that you (or someone) ported sha1 encryption to javascript, but you havent answered the question at hand. where is the version of that script you posted[/QUOTE]
Ahh, yes. That was posted elsewhere.

http://www.webdeveloper.com/forum/showthread.php?p=252360#post252360

There you go.

and once that webpage is gotten to, cypher or not, it isnt secure.[/QUOTE]
What do you mean by "gotten to"? It doesn't redirect you anywhere. You'll need to clarify what you mean. Or better yet, give a demonstration of how the page isn't secure. Plenty of others before you have talked about it not being secure, and yet none have cracked it.

the means of accessing [the page] through your script is [secure], but thats as far as it goes[/QUOTE]
Through my script is the [i]only[/i] way of accessing the page. Can you show a different way?

anyone can still bring up that page with the URL if the cypher was broken[/QUOTE]Well obviously. But, of course, the cipher [i]isn't[/i] broken. Will you be the one to break it? Give it a try.

if youre passing the page back as innerHTML, thats nothing more than a mask.[/QUOTE]
A mask? Dude, you're not making any sense. Like I suggested before, just post a demo to show that you can crack it (or not).

the webpage is still unsecure UNLESS you have a server side resource sitting there checking sessions. all youve done is built a mansion on top of lava. it looks nice, but the underlying problem remains.[/QUOTE]
Sorry, but you're wrong. And until you come back with a successful break, you're just all talk.

and if you have to build the webpage into the cypher, thats more trouble than its worth.[/QUOTE]
This is the only thing you said that might be right. But it's really up to each person to decide.

@Declan1991Apr 05.2008 — #Anyway, since you will want to support users who disable JavaScript, I would strongly advise that you use server-side programming for password protection. Not only does it put much less load on the client, it is also much more accessible.

@Angry_Black_ManApr 05.2008 — #@mott:

i said nothing about your (implementation of sha1) script being insecure, or my ability to break it. i know from up there on your high horse you would challenge someone to break your (implementation of sha1) script. i never offered that. what i said, and will say more succinctly here is that[I] if [/I]you were using the script to grab information from a another webpage (with no server side code to protect it from being grabbed by the wrong source), the script would then ultimately be fallable.

however, you've made it clear that the page is built into the encryption scheme. i had to get around your epenis to make you provide the information that would actually be helpful to this poster to do it, but i guess thats what you have to do when a guy isnt trying to help, but rather trying to get people to look when he pulls down his pants. also, to my credit, not knowing this, and being able to correctly guess at it (with the other guess a complete miss) deserves a great deal of credit, considering my train of thought was implementation/utilization and not decryption.

this can certainly be useful to newbie users who are looking for a quick and dirty method of encrypting their HTML without moving to the server side. thank god someone developed sha1 and provided the concept behind it so that ports could be made, huh?

@Angry_Black_ManApr 05.2008 — #also, lets show just how efficient your script is. view the source of this webpage. copy everything. throw it into your encryption box and provide a password. press encrypt.

then... wait for the average joe's computer to lock up, and for IE to pop up the box it just popped for me saying "stop the script? its making IE slow!". heaven help you if youre just trying to change the spelling of a word. and that page better be static after you DO get it right!! and boy, every time you want to see that webpage, you better have a lot of time on your hands.

if you have to build the webpage into the cypher, thats more trouble than its worth.[/quote]

This is the only thing you said that [is definitly] right. But it's really up to each person to decide.[/quote]

the browser locking up will dissuade most people, developers and surfers alike, i assure you. unless you scale back the implementation. then thats where your server side solutions win.

@Jeff_MottApr 05.2008 — #what i said, and will say more succinctly here is that[I] if [/I]you were using the script to grab information from a another webpage ... the script would then ultimately be fallable.[/QUOTE]
Well, since the script doesn't do that, it kinda doesn't matter, does it?

but i guess thats what you have to do when a guy isnt trying to help, but rather trying to get people to look when he pulls down his pants[/QUOTE]
Not trying to help? I gave the OP exactly what he was looking for when everyone else said it was impossible. Then you came back with some jabber about it not being secure, which is wrong.

...thank god someone developed sha1 and provided the concept behind it so that ports could be made, huh?[/QUOTE]
I can't tell if there's some point you're having trouble getting to or if you're just jabbering again. Is there any any point?

also, lets show just how efficient your script is. view the source of this webpage. copy everything. throw it into your encryption...[/quote]Well dang, I guess you proved me wrong where I said it was super fast. Oh, wait... [u][i][b]I never said that![/b][/i][/u] :rolleyes:

Seriously, dude, you seem to have developed a grudge in just a few seconds. This page—filled with our discussions, nested tables, and a long strip of advertisements—is a hefty page. I doubt the OP's page is anywhere near as big as this one. The script will quite possibly work just fine for him.

The OP wanted a secure JS password protection, and now he has one. Maybe he'll use it, maybe he won't. But like I said, it's up to each person to decide. Not you.

@Angry_Black_ManApr 06.2008 — #Well, since the script doesn't do that, it kinda doesn't matter, does it?[/quote]

i wouldnt have gone there if the proper documentation was provided. the first thing you posted wasnt aimed at the OP. it was aimed at "proving declan wrong".

Then you came back with some jabber about it not being secure, which is wrong[/quote]

again, because you didnt provide anything but epenis script, i was wrong due to your lack of given information. i had to speculate based on what little info i had, and i got it right on the second guess. my first guess was only wrong becuase it didnt use that method of information injection. if it did, i would have been right. if you had made your script's design (not decryption) clear from your first post, i wouldnt have said the wrong thing.

Well dang, I guess you proved me wrong where I said it was super fast. Oh, wait... [u][i][b]I never said that![/b][/i][/u] [/quote]

you're terrible at context. every one of your posts in this thread clearly shows this. my point here isnt that your script isnt fast, but that it wouldnt be worth the effort. remember when i said that? of course you do. you quoted it. if you undestood context, instead of misquoting little tidbits of information, we'd all be on the same page and one of us wouldnt be calling his inability to stay in context someone elses "jabbering".

Seriously, dude, you seem to have developed a grudge in just a few seconds. This page—filled with our discussions, nested tables, and a long strip of advertisements—is a hefty page. I doubt the OP's page is anywhere near as big as this one.[/quote]

im merely illustrating the limitations of this shiny juggernaut and making a case for everyone who would recommend using a server side solution. they may have worded their recommendation wrong, but the result of that recommendation is sound.

The OP wanted a secure JS password protection, and now he has one.[/quote]

funny how your first post didnt contain that information.

back to the grude thing, your information, in this thread, came off as a condescending challenge, rather than a humble (or otherwise) attempt to help. i am not the only person to see this. im just the only person who called it out. you set the tone, and by your inability to understand context, its easy to see why you got my "grudge vibe" twisted. i just threw up a mirror.

@slevenApr 06.2008 — #Javascript cannot be used as a password protect, because it is client side, and anyone with the slightest bit of programming knowledge could see the passwords. It has to be client-side.[/QUOTE]
sure , client represent server services . no server no client .

but , like java language , has a client vitiual machine running on the client . that's a protected solution method , i think . :p

@Angry_Black_ManApr 06.2008 — #and to touch again on the impracticality of this script (can you say "white elephant?"), what is an average web page?

the source of page (at the time of this post) is under 200Kb. is that average? is that what average joe blow newbie user will make his page? or is he looking to use his white elephant as a cracker jack ring to pass 5k messages to his buddies? and if hes only doing that, why the juggernaut to do it?

i went and grabbed the source of this link. the sourec is only about 12k:

http://www.optimizationweek.com/reviews/average-web-page/

and even when i removed the CSS from it, encrypting it took a nice chunk of time (enough to have to be asked to let the script continue twice), and then decrypting it took like 3 times that amount of time. this is a pretty small page.

the bottom line is you are right. javsacript (or more accurately, a javascript sha1 port) can encrypt a webpage.

and if you have to build the webpage into the cypher, thats more trouble than its worth.[/quote]

but its every bit a white elephant to do it. my blindfolded guess was 100% right.

@Jeff_MottApr 06.2008 — #because you didnt provide anything but epenis script, i was wrong due to your lack of given information. i had to speculate based on what little info i had[/quote]You're right that you didn't have the second link. I hadn't realized the first attached I linked to didn't have the tools to make a new protected page. I had to search through old posts even to find the one I did. But still, if you didn't have the information to know how it works, then you could have [i]asked[/i] for it rather than ranting out of ignorance. It was your blatantly incorrect conclusion—that the script wasn't secure—that prompted me to challenge you to break it. I figured if you were so confident to proclaim it not secure, then you ought to be able to back up your words.

my point here isnt that your script isnt fast, but that it wouldnt be worth the effort.[/quote]I got that point. And I responded to that point. Twice. Again, it's up to each person to decide if it's worth the effort.

@Angry_Black_ManApr 06.2008 — #You're right that you didn't have the second link. I hadn't realized the first attached I linked to didn't have the tools to make a new protected page.[/quote]

thats interesting. if you were so deliberate in ensuring the information you posted to the thread was on the OP's topic (rather than challening declan as the alterior motive shows), we wouldnt be here. i have seen your other threads. you are (and were) trying to bait people into breaking SHA1's encryption. you think you make a subtle reference to the notion, but i read it loud and clear. and again, your other threads show how quickly you jump at the opprotunity to challenge people. furthermore, the fact that you posted the challenge, rather than the solution seems to agree with me. if you were trying to solve the OPs problem, your deliberate act of posting the solution would have been done in one post considering how smart (you want people to think) you are.

youre telling me that you can port SHA1 to javascript, but you cant post the solution to a persons problem on the first try based on your own threads which you knew existed (of which you knew where they were and if not how to find them)? what youre really telling me is that you [I]werent[/I] in fact trying to solve the problem, but rather challenge peoples notion of the topic. i belive you did everything you meant to do on the first try. heck, you did it twice.

But still, if you didn't have the information to know how it works, then you could have [i]asked[/i] for it rather than ranting out of ignorance. [/quote]

if you hadnt "failed" to properly solve the problem by posting the solution (read: you werent trying to solve the problem, but rather your intent was to challenge and bait), i wouldnt have needed to guess at the useage of the script in question. i played along becuase i knew i could hang.

and my first guess was not saying your script (read: SHA1 [I]port[/I]) was insecure. i reiterate; i said the method (that i was guessing at) would theoretically be insecure as a whole. "whole" meaning the "entire implications of the marriage of this script to my guessed implementation"

you keep ignoring that i made two guesses; the first was way off (but not wrong if the theory was correct, thus why it was a guess) becuase you were content to provide incomplete information (because your motive was not to solve, but to challenge). i worked with what YOU deliberately offered to those whom you were baiting.

and you know what? i got it right on my second guess. thats pretty damn good given the (lack of) information i had to work with.

@Jeff_MottApr 06.2008 — #i have seen your other threads. you are (and were) trying to bait people into breaking SHA1's encryption.[/quote]Bait people? Dude, this isn't complicated: When someone makes a baseless claim (like you did), I ask that they back up the claim. I don't think that's unreasonable.

youre telling me that you can port SHA1 to javascript, but you cant post the solution to a persons problem on the first try based on your own threads which you knew existed (of which you knew where they were and if not how to find them)?[/quote]The more helpful attachment is 3 1/2 years old. So yeah, I didn't know about it. It really is that simple. No conspiracy.

your deliberate act of posting the solution would have been done in one post considering how smart (you want people to think) you are.[/quote]Right... because it's not at all possible that it was just a mistake. :rolleyes:

If you want to believe it was deliberate... fine. I'm done with you.

@Angry_Black_ManApr 06.2008 — #done with me? poor boy, all the (self inflicted) pwnage has you delusional. enjoy your [COLOR="LemonChiffon"]elephant[/COLOR].

Also in #JavaScript _↴

Referencing an element with array like name multiple combo boxes Cannot update form field

Success!

Help @kw2102 spread the word by sharing this article on Twitter...

Tweet This

Help setting up users/password protected pages

17 Comments(s) _↴

Also in #JavaScript _↴

Success!

Social

Version

Help setting up users/password protected pages

17 Comments(s) ↴

Also in #JavaScript ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

17 Comments(s) _↴

Also in #JavaScript _↴