PDA

View Full Version : Is there a script



cindirob
05-25-2005, 11:35 PM
I have searched and searched and tried so many things, can someone please tell me if there is a script that can open hide the address bar.

What I am doing is a members only area of my site, I need it password protected and viewable only to those members. I dont want anyone to be able to copy and paste the url to that area to a friend.

I would like it to open in a new window but if not thats ok too as long as you cant copy the url

thanks
Cindi

jscheuer1
05-26-2005, 03:39 AM
There is but, unless you would be happy with a half step measure, don't bother. You would be better off inquiring of your host about a server side solution for creating a password protected area. Each host should be able to provide such an area, albeit using whatever particular methods are in place on the host's servers. Others in these forums may step up with advice on what to do if your host uses this or that more or less common standard, and if you are lucky one will work. My knowledge in this area extends about as far as that contained in this message. The problem with using a script is; what do you do if someone turns off scripting or, once your address bar-less window is launched, hits ctrl-n which will launch your page in a new window with the address bar and all the default 'chrome', as it is called, in place. A truly password protected area will not launch successfully in a user's browser simply by pasting in an address. If such is attempted, the user will be prompted for the password unless they are already logged in.

mwinter
05-26-2005, 01:18 PM
I have searched and searched and tried so many things, can someone please tell me if there is a script that can open hide the address bar.As John said, this isn't what you want.


What I am doing is a members only area of my site, I need it password protected and viewable only to those members. I dont want anyone to be able to copy and paste the url to that area to a friend."Security through obscurity." You'll find that phrase all over the Web, but in virtually every case it's followed by "does not work", or something to that effect.

If you want to protect something, then simply using a gateway to that resource is not going to achieve your aims. As you have discovered, it only takes a direct link past that gateway, and anyone's in: quite a back door. What you need to do is protect the resources themselves, and there are a couple of ways to do this.

The first, and potentially the simplest, is to use a HTTP Authentication scheme. All it requires is a directive to the server which states users need to authenticate themselves before they access any resource within a particular directory, and a list of users, groups, and passwords that are allowed access. Unfortunately, it does have some drawbacks, particularly with performance and some aspects of security. However, it's still better than what you seem to have at the moment.

The second, and most frequently used, is to extend the login checks across every protected resource. Users that are logged in are stored in a database that is examined with every request. If the user matches one of the database entries, the resource is returned. If not, then they are prompted to log in. At log out, or after a certain period of inactivity, the database entries are removed.

How you implement either scheme depends on your server software and server-side languages. It may also affect how you organise your site. But, you aren't going to achieve security any other way.

Mike