PDA

View Full Version : How do you do this?



IanMarlowe
07-05-2005, 07:52 AM
Hi,

My question is:

DD has a couple of password scripts. The problems with them is that the name of the page is the password. If someone is watching you wile you browse, all they have to do is look at the <url>, and they will know your password. Is there a way to input password/username, but be directed to a page like your_page.htm?

From your_page.htm, you could view how many people have entered your site, and see there adresses. You could view how many people might have ordered a product, or downloaded a program/file...

Have any ideas on how to change the page it sends you to?

Twey
07-05-2005, 08:22 AM
This is the problem with client-side password scripts.
The only secure way to do it is to have the password as the file name. However, if you're just worried about having people see your password, try converting the page name to hexadecimal first. This will stop people peeking over your shoulder (unless they have photographic memory :p)

ddadmin
07-05-2005, 08:43 AM
Hence you should try using .htaccess for password protection, such as by using this tool: http://tools.dynamicdrive.com/password/ :)

IanMarlowe
07-05-2005, 09:57 AM
oh, so that isn't just gibberish, it's hex? but will the computer know if i tell it to go to my password.html(in hex)?

Twey
07-05-2005, 10:45 AM
Yes, it sees the hex characters as being exactly the same thing as the normal characters in a URI.
%73%65%63%72%65%74%70%61%67%65%2e%68%74%6d is exactly the same as secretpage.htm
Try it in Google:
http://www.google.com/search?q=%73%65%63%72%65%74%70%61%67%65%2e%68%74%6d

An ASCII chart: http://i-technica.com/whitestuff/urlencodechart.html

jscheuer1
07-05-2005, 11:08 AM
If I understand what you are doing here, it wouldn't be that hard to view the source and then run the string through a hex to ascii converter. If I've misunderstood, never mind.

Twey
07-05-2005, 11:23 AM
No, you've misunderstood.
He was worried that, if you had a script where the name of the page to go to was the password, someone could just look over the user's shoulder and see their address bar, and thus gain the password. I was suggesting that is the author of the script converts the password to hex characters before redirecting the browser. Hex is a lot harder to remember.

IanMarlowe
07-05-2005, 12:14 PM
Thank you alot! It works perfectly fine!!

jscheuer1
07-05-2005, 12:38 PM
Got it, good idea.

IanMarlowe
07-05-2005, 12:40 PM
This is the problem with client-side password scripts.

Is there any other kind of password script?

Twey
07-05-2005, 01:28 PM
Yes, ideally you should use a script written in a server-side language such as PHP, ASP or JSP. You could also (as suggested by ddadmin, above) edit your .htaccess file to protect the file(s).

Davebold370
07-26-2005, 01:20 AM
Hi there, I tried the .hataccess file and directed it to my .htpasswd file, but I am running into a problem. I used the the main screen thing, and tied it into my site file and well, it protects the site, but the password and username I put in doesn't work. What is the problem? Does any one know?

Twey
07-26-2005, 12:37 PM
The "main screen thing?"
Perhaps you should post your .htaccess and .htpasswd here. Remember to replace usernames and passwords with example ones.

Don_Nizz
08-09-2005, 01:01 PM
helo...

pls. help me.. i habe a big problem on playing the music that i have put in my website, it is in wav format, when i-try to play it.. it downloads very slow and when it play it plays and stop and play and stop... i try to browse in other sites that offers music to be played on a media player or in their own website.. it has no problem..

pls. help me..

IanMarlowe
08-12-2005, 09:31 AM
what does this have to do with passwords? or .htaccess?

Twey
08-12-2005, 09:45 AM
Don't ask me.
Don_Nizz, you should post a new thread.

Davebold370
09-06-2005, 03:33 AM
Thanks. I talked to my server people, and there systems are messed up and all. So thanks anyways.