How do you do this?

**IanMarlowe** · 07-05-2005, 07:52 AM

Hi,

My question is:

DD has a couple of password scripts. The problems with them is that the name of the page is the password. If someone is watching you wile you browse, all they have to do is look at the <url>, and they will know your password. Is there a way to input password/username, but be directed to a page like your_page.htm?

From your_page.htm, you could view how many people have entered your site, and see there adresses. You could view how many people might have ordered a product, or downloaded a program/file...

Have any ideas on how to change the page it sends you to?

**Twey** · 07-05-2005, 08:22 AM

This is the problem with client-side password scripts.
The only secure way to do it is to have the password as the file name. However, if you're just worried about having people see your password, try converting the page name to hexadecimal first. This will stop people peeking over your shoulder (unless they have photographic memory

)

**ddadmin** · 07-05-2005, 08:43 AM

Hence you should try using .htaccess for password protection, such as by using this tool: http://tools.dynamicdrive.com/password/

**IanMarlowe** · 07-05-2005, 09:57 AM

oh, so that isn't just gibberish, it's hex? but will the computer know if i tell it to go to my password.html(in hex)?

**Twey** · 07-05-2005, 10:45 AM

Yes, it sees the hex characters as being exactly the same thing as the normal characters in a URI.
%73%65%63%72%65%74%70%61%67%65%2e%68%74%6d is exactly the same as secretpage.htm
Try it in Google:
http://www.google.com/search?q=%73%6...65%2e%68%74%6d

An ASCII chart: http://i-technica.com/whitestuff/urlencodechart.html

**jscheuer1** · 07-05-2005, 11:08 AM

If I understand what you are doing here, it wouldn't be that hard to view the source and then run the string through a hex to ascii converter. If I've misunderstood, never mind.

**Twey** · 07-05-2005, 11:23 AM

No, you've misunderstood.
He was worried that, if you had a script where the name of the page to go to was the password, someone could just look over the user's shoulder and see their address bar, and thus gain the password. I was suggesting that is the author of the script converts the password to hex characters before redirecting the browser. Hex is a lot harder to remember.