Security cookie?

**toxicano** · 12-15-2006, 11:26 AM

This is pretty hard what I'm about to ask...

But, bear with me...

Question:

I am using a javascript password protection script to allow users access into my website, the script checks a .js file from the index page for the user names and passwords and see if they match to allow access, if the name and pass are correct and are there the script allows the user to be directed to the homepage of the site, if the name and pass are incorrect or do not exist the script doesn't redirect them into the page. I have the end of the code in the .js file here:

// Your other commands here
}window.location = "http://www.toxicseduction.com/home.htm"; [This is what happens when the name and pass are correct]
}
}
}

I am looking for a command to add above the redirect command that will leave a cookie for the users who have the correct name and pass.

After the cookie is left they will be redirected instantly,

but now I want a script for the homepage that the registered users were redirected to that will check to see if the cookie is there, and if it isn't they won't be able to see the content on the page. (Because the cookie will only be placed in their cache if the name and pass is correct so it will be good security.)

Does anyone know what I need to do this?

Note: I will be encrypting the index page so that guests don't see the location of the .js file in the source and i will also be having the cookie placed on another site but loaded from my main site so that it's not saved when users choose to save my site so they got no idea of getting in.

Can anyone help me here?

Copyright for this question by Jose Contreras 2006.

**mwinter** · 12-15-2006, 04:08 PM

Originally Posted by toxicano

I am using a javascript password protection script to allow users access into my website,

With the understanding, I hope, that it will provide no real protection.

I am looking for a command to add above the redirect command that will leave a cookie for the users who have the correct name and pass.

That is certainly possible, though it should be optional: the visitor might be on a shared computer. However, it should be implemented entirely server-side.

Note: I will be encrypting the index page so that guests don't see the location of the .js file in the source ...

In order to "encrypt" a document, it must also contain the decryption algorithm, therefore it's totally pointless. All you do is add a dependency on client-side scripting with zero actual gain.

Copyright for this question by Jose Contreras 2006.

I sincerely hope you're taking the piss.

Mike

**toxicano** · 12-16-2006, 05:33 AM

So is there any manual or any 'walk-through' for doing something like this anywhere? If you want to laugh and feel better about yourself because someone who's new to this 'javascript' language doesn't know some things about it you can go ahead, I only want good people to respond not some person making fun of people asking for help... Anyone out there that can help with this issue?

Thanks a lot.
the copyright was a joke ;-)
P.S. I doubt everyone knows this type of 'going-around' the source if they do good for them and they deserve to get in... But if there's any other types of security measures I can use instead of javascript I would like some recommendations please. Thank you, by the way I'm 16.

**thetestingsite** · 12-16-2006, 06:29 AM

Javascript is not the way to go with password protected anything. Server Side is a lot more secure than client side.

Originally Posted by toxicano

So is there any manual or any 'walk-through' for doing something like this anywhere? If you want to laugh and feel better about yourself because someone who's new to this 'javascript' language doesn't know some things about it you can go ahead, I only want good people to respond not some person making fun of people asking for help... Anyone out there that can help with this issue?

mwinter has made some pretty good points in his post. For one, encrypted anything must have decryption algorithms (or at least point to a page that has this) and anyone can break that if they know enough.

I doubt everyone knows this type of 'going-around' the source if they do good for them and they deserve to get in...

This is true, but you would be surprised as to how many people that I deal with (that can barely check their emails without some help) can actually find out the source code of some items. This may be by mistake, but nonetheless, they figure it out.

Personally, I would use PHP (or any other server side language) to access a database that has the username / password combos in it. Mostly because it is a slight bit harder to crack by, for a lack of better words, "slow users".

I hope this kind of points you in the right direction.

**toxicano** · 12-16-2006, 03:54 PM

Thanks very much sir. :-D You too mwinter. Bye guys. ttyl.

**Twey** · 12-16-2006, 05:35 PM

Personally, I would use PHP (or any other server side language) to access a database that has the username / password combos in it. Mostly because it is a slight bit harder to crack by, for a lack of better words, "slow users".

It's theoretically impossible to crack, save by brute-force (which would be noticed immediately by any competent sysadmin).

Thread: Security cookie?

Thread Tools

Search Thread

Security cookie?

Ok

Bookmarks

Bookmarks

Posting Permissions