PDA

View Full Version : Encrypted Password script



moose86
11-27-2011, 06:32 PM
Encrypted Password script

Script URL: http://www.dynamicdrive.com/dynamicindex9/password.htm

This script works well but I was wondering if it is possible to protect the targeted page so it cannot be accessed via the address bar

i.e, username: test - Password: test2 - Correct location: test2.htm

What I would like to happen
User puts the URL + test2.htm into address bar - User gets taken to access denied page or similar

What actually happens
User puts the URL + test2.htm into address bar - User gets access to that page with no login required

traq
11-27-2011, 07:35 PM
You will never have a "secure page" using javascript. you can make things more complicated, but javascript is entirely under the control of the user - it can be edited, or even just turned off. If you need to actually secure a page or directory on your site, you must use a server-side langauge (like PHP, or simply use .htpasswd (http://httpd.apache.org/docs/2.0/programs/htpasswd.html)).

moose86
11-27-2011, 07:38 PM
ok, thank you

djr33
11-27-2011, 08:52 PM
The only "security" that Javascript allows is to make guessing a URL interactive. So you can have a "password" form that just allows users to type in a URL and they get redirected to whatever they type in. It's basically an interactive address bar. In this case, it's a little more complicated than that, but at the same time it would be possible to decrypt the password fairly easily, so it's also less secure against someone who knows what they're doing.
Anyway, none of these really do anything to stop someone from accessing a page directly since that's what they do: they just redirect you to the "password protected" page. The security is all just based on not sharing the URL for that page directly-- once they have it, it's completely visible.

In theory, you could use cookies to do this-- store a cookie on the password page, then only show the protected page if they have that cookie. But it's still not entirely secure and would allow them to reload the page as much as they want, given that they have logged in once.