...

View Full Version : Secure Login with javascript



Borgtex
11-19-2002, 07:51 PM
Here is my "total secure login" script. Description of the contents:

login.htm: First page. It asks login and password, combines it (Login+Password) and sends it to the next page

auth.htm: checks for the existence of a Login+Password.js if yes (authorized user), it reads the private url and opens it, if not, it goes back to the first page, wich shows an error message

CodingForums.js: a Login+Password.js sample. You can have as many users as you want; one .js for every one (i.e. Login: Neo, Pwd: Matrix =NeoMatrix.js). Blocking an user access is as easy as deleting his .js file

page.htm:a sample destination page

PasswordHelper.vbs: a nice script that creates the js files

Of course, server side programming is much better if you have sensitive data to protect

Edited: Due the popularity of this script, I updated the original version with the one with whammy (http://www.solidscripts.com/) improvements, like the Password Helper

Ricky158
11-24-2002, 01:15 AM
holy $*@&

i've been looking for a good password-gate-like thing for a loooooong time. this is awesome! i was about ready to post that i was having trouble, before i found out what to do. here's how i got it to work...

1) unzipped the files
2) uploaded ALL of them to my site
3) created a new "CoddingForums.js" page and renamed "CoddingForums"
4) in renamed "CoddingForums" page, paste all info from the text in the "CoddingForums.js" into the new, renamed page
5) thank borgtex for the awesome script

also, you've got to make sure the file name is "{Name}{Password}.js" no {}'s, no spaces, first letter of name and password is capitalized (or so i think. but i'm afraid to test). it works fine for me, doing the method above.

THANKS BORGTEX!!

KaoS
11-24-2002, 10:04 PM
is it possible to make the usernames be in a drop down box instead of typing them in, if so how???

Ricky158
11-25-2002, 10:53 PM
hmmm... let's use My Yahoo! for example. does Yahoo! have a drop-down menu listing ALL of their members' usernames? wasnt like that the last time I checked... so i think it would just be more appropriate (in any case) for it to just be a type-in thing. because in my case, i use that script so it's harder for someone to access a certain page. giving them half of the entry information needed to access the page doesnt really help.

but you can do what you want with the script, but i have such little knowledge of javascript that i can't help you. but hey, i know the comment tag: // yay!

KaoS
11-25-2002, 10:57 PM
im not going to have 2143446 members only about 6 lol

Borgtex
11-26-2002, 02:26 AM
Just change the textbox for a dropdown menu, and access the value of the selectedIndex.
If you're not familiar with dropdowns & javascript, post your question in the JavaScript programming (http://www.codingforums.com/forumdisplay.php?s=&forumid=2) forum

SYP}{ER
12-25-2002, 11:23 AM
If your data is that important, use .htaccess & .htpasswd to keep the unwanted out.

If someone wants to get in, and has intermediate to advanced knowledge of javascript, they can and will ;)

krycek
12-25-2002, 11:47 AM
Just a warning: like SYP}{ER said, it is impossible to have a secure system using JavaScript alone.

A good system would be on the server side, or use .htaccess, or both.

But all the same, well done Borgtex for providing something that people want :)

Merry Christmas Everyone!

::] krycek [::

Alex Vincent
12-31-2002, 12:00 AM
Hm, sounds interesting. You have to download the authentication file from the server, or you're going nowhere. In this case, knowing JavaScript may not help very much -- because the password helps define the name of the script to request by HTTP.

Creating a dropdown menu is a security risk: it gives a person who wants in but isn't authorized a much narrower field of possible filenames to search.

Plus, there's always the possibility that a different combination of characters will yield a valid result (taking a letter off the password and sticking it on the username, for instance).

CrUdE
01-22-2003, 01:39 PM
Nice thing dude :thumbsup:

little question: is it possible to mark the password field with ***** when you type your password?

Borgtex
01-22-2003, 03:00 PM
yes, you only need to use this attribute in the password input:

<INPUT type="password" ...>

CrUdE
01-22-2003, 03:03 PM
OMG!!!!

Didn't thaught about that one.

anyway thankx m8 and keep up the good work.

another question.

Cos u r all leets in JS maybe I can ask u peeps to provide me with some good links to tutors etc. cos I'm not really into JS, and I'd like to be :rolleyes:

redhead
01-22-2003, 04:31 PM
Originally posted by CrUdE
maybe I can ask u peeps to provide me with some good links to tutors etc. cos I'm not really into JS, and I'd like to be :rolleyes: www.javascriptkit.com has some good tutorials :)

relyt
01-23-2003, 03:32 AM
err.....how would i make it so you can only view the website if you have entered the user name and password?

CrUdE
01-23-2003, 08:53 AM
I think making your index.htm the page with the javascript in it

relyt
01-23-2003, 07:02 PM
i tried that. it just tells me "unable to find server" when i do it.

CrUdE
01-28-2003, 01:02 PM
is it possible u gave the incorrect or incomplete url he has to get by submitting the login info?

whammy
01-29-2003, 01:09 AM
BTW, I meant to comment on this before, but this is a pretty ingenious solution to client-side password protection. :)

tempest1
01-31-2003, 07:08 PM
Simple, clear your cache before you try to break your site. And then after you "cant" get through you browse your temp internet folders. Nothing in javascript is secure, nothing.

whammy
02-01-2003, 08:16 PM
Apparently, tempest1, you didn't see how the scripts works... if the correct username and password isn't typed in, there's no javascript library to include - therefore, there is nothing in your cache to reveal a username and/or password.

You can look at the html all you want.

About as simple and secure as you can get with client-side scripting.

tempest1
02-02-2003, 04:54 AM
if its client side its cached.

Borgtex
02-02-2003, 11:13 AM
Person A wants to access page X and knows the password: the .js is called and cached in his computer, ok

Person B wants to access the same page X but it doesn't knows the password: The .js is never requested and consequently not cached in his computer

if person B looks at person A computer, he can discover the password or at least page X name

so the limitation of the script is that it's not very secure (like all client-side solutions) in a network or a public environment, where more than a person can access the same computer.

But as a individual user, it doesn't seems very probable that person A allows person B to use his computer to steal the code

:rolleyes:

whammy
02-02-2003, 05:00 PM
Borgtex, I have modified the script to make it XHTML 1.1 compliant, and instead of using the "BadPassword.htm" page, if not authorized, the user is sent back to the login page with an "Authorization Failed!" message.

With your permission (and credits intact, of course - actually I wouldn't mind if you supplied some better credits!), I would like to post the script on my site, as well.

Here (http://www.solidscripts.com/downloads/jslogin.zip) it is.

Borgtex
02-02-2003, 05:20 PM
Originally posted by whammy
Borgtex, I have modified the script to make it XHTML 1.1 compliant, and instead of using the "BadPassword.htm" page, if not authorized, the user is sent back to the login page with an "Authorization Failed!" message.

With your permission (and credits intact, of course - actually I wouldn't mind if you supplied some better credits!), I would like to post the script on my site, as well.

Here (http://www.solidscripts.com/downloads/jslogin.zip) it is.


Nice! and of course you can post it in your site. :)
I'll PM you the credits

whammy
02-02-2003, 05:24 PM
:)

whammy
02-08-2003, 11:26 AM
Borgtex, you have the honor of being the first person besides me to have a script posted on my website!

http://www.solidscripts.com/displayscript.asp?sid=15

:)

ca_redwards
02-08-2003, 05:28 PM
On my resume (http://www.angelfire.com/ca/redwards) page, I have had the same password scheme in use for four years.

Basically, whatever the user types in is taken as the pathless/extensionless filename of an image. If the user-named image loads successfully, then the browser is forwarded to a web page of the same name.


<script language=javascript>
function imgError()
{ alert('Sorry, that is not correct.');
document.enter.password.value='';
}
function imgLoad() { window.location=this.password+'.html'; }
function tryit()
{ var I = new Image(1,1)
I.onerror=imgError;
I.onload= imgLoad;
I.password=document.enter.password.value;
I.src='images/'+I.password+'.gif';
}
</script>
<form name=enter><input type=password name=password><input type=submit value=login></form>


Basically, if you don't know the password, this script doesn't know what page to display!

kwhubby
02-10-2003, 01:18 AM
one problem with this script, is that if someone uses this on a computer, anybody can than go onto that computer and look at the history and go to the personal page, wich, if the password was what that person always uses, would let the unwanted know there password. and you could also look at index.dat if the history was simply deleated.

whammy
02-11-2003, 03:19 AM
Well, it's a client-side script. Of course that's a drawback. If you're trying to say it's better to use server-side scripting for logins, of course you're right.

:confused:

But like I said, this is the best client-side script I've seen. ca_redwards' script uses the same idea, but it's not as easily modified by newbies, and it also uses the image name as the "redirect" file name, instead of allowing you to modify the URL as Borgtex's script does (which also allows for multiple users very easily)... so Borgtex's script wins handily by it's simplicity and "security" (what there can be in client-side scripting), in my opinion.

hallj999
03-03-2003, 05:56 PM
when i enter my username and pass word and click login, the page next page when loading displays http://myweb.tiscali.co.uk/streetracer/chkpwd undefined password. then it wont load the page and a cannot find server error comes up
whats that about and how do i fix it, joe

Borgtex
03-03-2003, 06:47 PM
http://myweb.tiscali.co.uk/streetracer/LoginPage.htm works for me (as you uploaded the original example). The problem must be in your new .js file

whammy
03-04-2003, 12:06 AM
Might help if you included the temporary username and password you're trying out, so we can see the error you're getting.

If I use

Codding

Forums

It works just fine.

hallj999
03-04-2003, 12:28 AM
well it takes me to a tiscali ;age saying that the page can not be founf, eroor 404 i think

whammy
03-04-2003, 12:42 AM
Right, so you don't have a valid URL in your .js file.

No way we can help you though, without you posting your code - actually this shouldn't be in this thread, you should post this in the javascript forum, or a moderator for this forum should move it, since this isn't a problem with the script itself.

whammy
03-04-2003, 12:43 AM
P.S. To the general community, and Borgtex, I'm wondering if we should "clean up" some of these posts, down the road, or whatever - since questions like this (and the responses) shouldn't really be part of the script thread...

Borgtex
03-04-2003, 03:20 AM
Originally posted by whammy
P.S. To the general community, and Borgtex, I'm wondering if we should "clean up" some of these posts, down the road, or whatever - since questions like this (and the responses) shouldn't really be part of the script thread...

Yes, I agree. In any case, moderators have the final say...

collie
04-15-2003, 03:02 PM
Sure could use some help trying to use (secure login with javascript).
I have been trying diff. ways,no luck.

Should my password be the same as the page it will open?
Example: password=index (the page it opens is named index.html)

Now i have put everything in one directory. loginpage.htm, chkpwd.htm, badpassword.htm, coddingforums.js, index.html.

thanks
:rolleyes:

Borgtex
04-15-2003, 08:05 PM
Originally posted by collie
Sure could use some help trying to use (secure login with javascript).
I have been trying diff. ways,no luck.

Should my password be the same as the page it will open?
Example: password=index (the page it opens is named index.html)

Now i have put everything in one directory. loginpage.htm, chkpwd.htm, badpassword.htm, coddingforums.js, index.html.

thanks
:rolleyes:

I think that it is explained in the first post, but anyway...

You have to create a .js and name it accordingly. i.e.: if your login is "Tom" and your password "Jerry", you have to create a file named TomJerry.js (that file contains the destination page). You just have to look at the example and adapt it

whammy
05-06-2003, 12:09 AM
Also, perhaps it will make more sense for you to try it out:

http://www.solidscripts.com/jslogin/login.htm

Go there, and type in:

Username: coding
Password: forums

What happens then, is this... the form gets posted to "auth.htm" which tries to include the file "codingforums.js". Since that file exists, javascript then sees that the "auth" variable is true, and redirects you to the URL contained in the variable "redirect".

If you type

Username: blah
Password: I'm tired

it would try to include the file "blahI'm tired.js" - which won't work, because there is no such .js file.

So, all you need to create a .js file that is the combination of your username and password (no spaces!)... and then, edit that .js file just like the others...

http://www.solidscripts.com/downloads/jslogin.zip

I modified Borgtex's code slightly (just to make it XHTML compatible and clean it up a little bit), but you'll notice that if you open the "codingforums.js" file with notepad, you'll see this:

auth = true;
redirect = "http://www.codingforums.com/"

all you have to do at this point is change the redirect variable to the page you want to redirect to.

:)

collie
05-06-2003, 02:06 PM
Thanks to everybody. I finally did it.

damensr
06-02-2003, 07:24 PM
Hi guys, the script works great.

I just have a question, I'm trying to create a website with the login script. I want to keep it easy and simple.

Now I need your help, I want to create on the login page a button with a checkbox (list prices yes or no), but I want to keep the same userid / password. If the checkbox is checked, they need to go to www.motorvoorraad.nl/index12.htm if the box is unchecked it want them to go to wwwm.motorvoorraad.nl/index11.htm. Is this possible??

Thanks in advance for your help.

Regards,
Sander

Ricky158
06-13-2003, 09:34 PM
i have a question that's related to this script. is there a way to create the page for me after the user has submitted the info for their account?

for example. i'm a random person viewing the website and i want to register an account. i fill in the username and password field to register and it takes that information and creates the .js file and also the .html page that the .js page points to if the username/password is correct. the .html page will be a default page that says "please wait 48 hours for your account to be activated" or something like that.

so what it needs to do is take the username and password field and combine them to form UsernamePassword.js. my form already makes sure that it's only Username and Password, not uSerName and PASSwoRD (mix of caps and lowercase, so it's just the first letter that is caps, and none of the rest). and then in the .js file that it just created, it points to an .html page that it also just created. and all that is in that html page is "please wait for your account to be activated" or something along those lines.

right now, i'm under the impression that this is something too complex for JS and/or it's something that my Angelfire host will not let me do. but i have my own .com anyway, so permissions shouldnt be a problem, it's just that i have little to no knowledge of how to do this.

whammy
06-14-2003, 02:44 AM
Nope... in order to do that, you need a server-side language (such as ASP or PHP) and a database.

Otherwise, you're stuck with someone emailing you, and manually creating this stuff.

Angelfire doesn't offer this as far as I know... but what about your other domain... who hosts it?

P.S. You should start your own thread in the javascript programming forum, though - this forum is for posting useful scripts, not problems with javascript. Perhaps the appropriate moderator will move it. :)

Ricky158
06-14-2003, 02:55 AM
hmm... i wonder where we could find a good moderator that doesnt work for tips...

teken
06-23-2003, 05:29 AM
Hi Borgtex,

The password protection code you've posted here does not work in my PC. what could be the possible reasons?

whammy
07-20-2003, 05:47 PM
Since this is so popular and simple, yet people somehow still have problems getting it to work, I've also added a VBScript file you can run, which will prompt you for the username, password, and URL of the protected page.

It will then create the javascript password file for people unfamiliar with javascript. All you need to do then, is put the password file in the same directory as login.htm and auth.htm.

The URL is not validated, so if the resulting password file doesn't work, you probably typed the URL wrong.

The .zip file is attached to this message.

Just double click on the "PasswordHelper.vbs" VBScript file and follow the instructions to create your password file(s). You need to run this file locally, and then upload the password file(s) to your website.

Note: VBScript is a ©Microsoft technology, so this file will only work on Windows!

This file is safe to run. If you get any warnings, or are concerned, you can open the .vbs file with notepad, and make sure that the code matches the following:



Option Explicit
Dim UserName, Password, RedirectPage
Dim fs, f
While NOT IsAlphaNumeric(Username)
If Username <> "" AND NOT IsAlphaNumeric(Username) Then
MsgBox "Username must be alphanumeric, without spaces!",16,"Password Helper"
End If
Username = InputBox("Enter Username:","Password Helper")
Wend
While NOT IsAlphaNumeric(Password)
If Password <> "" AND NOT IsAlphaNumeric(Password) Then
MsgBox "Password must be alphanumeric, without spaces!",16,"Password Helper"
End If
Password = InputBox("Enter Password:","Password Helper")
Wend
While RedirectPage = ""
RedirectPage = InputBox("Please enter the URL of the password protected page:","Password Helper")
Wend
Set fs = CreateObject("Scripting.FileSystemObject")
Set f = fs.OpenTextFile(LCase(Trim(Username)) & LCase(Trim(Password)) & ".js",2,True)
f.WriteLine("auth = true;")
f.Write("redirect = """ & RedirectPage & """;")
Set f = Nothing
Set fs = Nothing
MsgBox "Password file created!",0,"Password Helper"

Function IsAlphaNumeric(str)
Dim ianRegEx
Set ianRegEx = New RegExp
ianRegEx.Pattern = "^[a-zA-Z0-9]+$"
ianRegEx.Global = True
IsAlphaNumeric = ianRegEx.Test(str)
End Function

benastan
08-15-2003, 12:14 AM
very cool idea, the whole client side password protection thing-- personally ill stick with server side, but for using javascript thats amazing. the only other script ive see that would do that is one that encoded the passwords.

anyway, just a few things anyone who has that might want to try:

1. Try using cookies. Have it check the cookie, and if either the cookie doesnt exist, have it send them off some where in the internet, or have 1000000000000 windows pop up, or just send them to the bad password page.

when it sends you to whatever the user's script(ie, BenastanFool.js), have this at the beginning:

var username = "Benastan"
var password = "Fool"
expiredate = new Date
expiredate.setMonth(expiredate.getMonth()+6)
document.cookie = "username="+username+"; expires="+expiredate.toGMTString()
document.cookie = "password="+username+"; expires="+expiredate.toGMTString()

this way, you can access the username and password for the user in virtually any programming language!!!

2. i can see that you obviously just threw this together, so im just gonna recommend a little style thing for anyone who will use it:

change the html for the sign in page to:

<html>
<head>
<title>Sign In</title>
</head>
<body>
<table style="border: 1px solid black;">
<form name="form1" method="post" action="">
<tr><td colspan=2>Sign In:<font style="font-size: 10px;">Enter your username and password to sign in</font>
<tr><td>Username: <td><input name="Login" type="text" id="Login">
<tr><td>Password: <td><input name="Password" type="password" id="Password">
<tr><Td colspan=2><center><input type="submit" name="Button" value="Sign In"

onclick="self.location='chkpwd.htm?'+document.form1.Login.value+document.form1.Password.value"></center>
</form>
</body>
</html>

i forgot what else i was gonna say, oops... oh well, if you object to my new formatting for it, tell me, ill only be sad for a bit ;) , if you actually read this entry, thank you for reading it!

NYCSavage
08-23-2003, 04:48 PM
i set up my page to test it and now when i click the login button it comes up error on page in the bottom left :(

here is the link (http://hometown.aol.co.uk/Savagepremier/index.htm)

Can anyone tell me what I did wong?

whammy
08-23-2003, 11:33 PM
You have this:

<INPUT type="password" ...>

Which isn't valid HTML.

NYCSavage
08-24-2003, 11:41 AM
Originally posted by Borgtex
yes, you only need to use this attribute in the password input:

<INPUT type="password" ...>


this is what i added as Borgtex suggested.

did I add it into the wrong place?

whammy
08-24-2003, 11:45 PM
No... but it's not correct HTML. What he meant by "..." was put any other attributes there that need to go there, in place of "...".

If you look at the original example code, you'll see what I mean. It works - because it's coded correctly. Better yet, download the .zip file I provided that has the XHTML compatible code and the password helper. ;)

<td>Password: </td><td><input type="text" name="pass" /></td>

all you need to do is change the input type to "password" instead of "text"

NYCSavage
08-25-2003, 09:44 AM
thank you for your help guys.......it now works fine.

but how about the security issue? does anyone know how to fix this?

whammy
08-25-2003, 03:31 PM
What security issue?

NYCSavage
08-25-2003, 06:49 PM
sorry, i posted this in the wrong thread :eek:

exothermic
10-08-2003, 04:45 AM
Borgtex,

I don't know much , but i do know this is a great script for certain useage.

Thank you very much.

exothermic

DraftRacer
11-16-2003, 08:43 AM
I got Four frames in my website:
1. Meny (left)
2. News (right)
3. Logo (up)
4. Mainpage (in the middle)


my password log in is in the mainpage and when the ppl log in then i dont want the page.htm (the page the ppl come to when they log in correct) only be in the middle beacuse i want to change the Meny (1) and news (2).

My question is can I make the page.htm not framed. I mean so it will be the only page open!

Andyman33
04-21-2004, 08:40 AM
was wondering if anyone knew why I can use this and easily link to any page so long as I use the http://www. . . format, but as soon as I try to link within my site I somehow can't. Why can I not redirect to /Homepage.html for example? This is how I use EVERY other link on my site. . .why is it not working here?

AnniHilatE
08-19-2004, 09:18 AM
yeh i had the same problem when i was editing the code of the .js file. and me not being a JS person took a while to figure it out. i did eventually find out how to do it.
eg. say you have the login.htm in folder "welcome" and you want to redirect to a folder under "welcome" named "me". open your .js and it should say

auth = true;
redirect = "******.htm";

all you need to do is in the redirect part type

auth = true;
redirect = "me/******.htm";

------Heres an example site structure---------------

____________WELCOME_________
---------------||||||-------------//////:dont mind the "......"
||..........................................||
.js file...................................."me"
login.htm.................................||
.........................................******.htm

when you enter the username and password, login.htm will goto the .js file and look at the { redirect = "me/******.htm"; } when you added the "me/" into the redirect, it will then goto the folder named "me" in the same 'level' and will then look for the page you want to goto.

NOTE: i think the login and .js file has to be in a higher level than the page you want to redirect to.

hopefully i made sence for you.
cheers :cool:

AnniHilatE :thumbsup:

PS. see the script in action. http://gamingexperts.cjb.net
goto members login and use { User=member, Pass=12345 }

TRINITY1
10-23-2004, 12:06 AM
Wonder if anyone can help please.

I have very little experience of js,and web design in general,and desp for help.

Looking to create a secure login for a newletter site which will be online hopefully next week. It must be fairly secure for a number of reasons and with the option of user/password change at any time,although probably once a month. THe Whammy vb script was recommended,but I have tried everything to get it working without success.
Downloaded script,set user/password ok. and homepage url.

If I go into the login html file it DOES take me straight into my site,and to test if the wrong user/password is enetered into the login html it will not.

I have a site which will be coming down this weekend,and just trying to test the script on this,so I know what to do when newsletter is up.

Currently it uses index.html as the inital ftp load file. I have tried setting this to login html,tried all js as initial files,but still nothing.

As the login file does not link to my index file,could this be the problem.

I know I am missing something and its probably simple,but desp for some advise.

My site at present was created using mindmanager

http://homepage.ntlworld.com/brian.parker2/

Please.

kwhubby
10-23-2004, 12:34 AM
Well it really depends on your host, if you have access to server side languages, such as php, asp, perl, python, java etc you can do this more securely and with more conventional methods (also not to mention easier to change access lists) but if you don't this would be your alternative.

TRINITY1
10-23-2004, 12:42 AM
My understanding is that NTL does not support server side,so this is why the vb script looks good.

http://www.cableforum.co.uk/board/article.php?a=5

rhodopsin
11-06-2004, 02:42 PM
For me I think that the weakness of this script is being able to see what files are on the server. You see one called CodingForums.js. You open it - and you have the url of the protected web page. YOu have just circumnavigated this security system. Indeed - u can even see the url of the protected webpage: page.html - on the server. Type this into your browser and there you have the protected web content.

So this brings me to my Q: how can you prevent someone from seeing all the filenames on your server (such that they can then type them into their browser and look at them)? IS this possible?

To repeat for clarity:
Even this really good script is vulnerable to persons looking at your filenames on the server.

Is there anyway that I can prevent persons from discovering the names of all the files on my server? Best,

kansel
11-06-2004, 05:44 PM
rhodopsin: just make sure the directory where your .js files are stored has an index.html file.

W-Unit
11-09-2004, 11:08 PM
Could they not bypass the protection by skipping directly to /page.htm ???

kwhubby
11-10-2004, 02:37 AM
Another way you can do it is with .htaccess If you have that option, which many hosts do at least limited support. You can have a .htaccess file that has IndexIgnore * in it which should prevent indexing. A good resource for this: http://www.javascriptkit.com/howto/htaccess11.shtml

bearsdenred
11-22-2004, 11:28 PM
HI guys just found this forum tonight, searching around the internet looking for help in various aspects of my course work for uni.

I need a secure login (using either, java / VB) and a authentication program to check members exist. This program does this very nicely.

only one question i have just now....

Heres my site.

http://www10.brinkster.com/tester2003/index.html

Now, how do i get the code to create a password and username through registering at this site?

register.htm <--- file i want the user to register, i want to create the password and username here. in this form to create the .js File?

And does anyone know anything regarding XML ?? im a network engineer not a programer. :(

Pavel
12-05-2004, 03:07 AM
How could this auth method be secure?

1. When the auth.htm has to check if the Login+Password.js exists, the browser has to request the URL http://server/path/Login+Password.js from the web server.
This request is transmitted plaintext, so every sniffer could read it. And even worse, the web server logs this request plaintext in his log. So the HTTP BASIC AUTH is better, because the password is not logged.

2. How do you difference user "Neo",password "Matrix" and the user "NeoM", password "atrix" ???

The only "secure" way (beside SSL) is, to hash the password with md5 or sha1 and to verify the hashed password on server side. And don't forget to include a salt, do make brute force attacks more difficult.

joh6nn
12-05-2004, 03:45 AM
Pavel, the points you bring up, while valid, have already been hashed over in the preceeding 5 pages of this thread.

Tatty
01-12-2005, 01:07 PM
.. How would I get the protected page/pages to open in an i-frame .. is that possible?

Thanks in advance :rolleyes:

**Tatty**

spicyfetus
01-20-2005, 05:50 PM
this is one hell of a script. very good stuff with some incredible diversity and functionality. i might have to use this one...though i dont have anything on my website that would require someone to need a user name and password...hahahaha. oh well...maybe in the future. very cool stuff though amigo :)

very clever

sgrimmett
02-07-2005, 10:40 PM
Just like to say superb and simple script, am finding it very useful already. I have a question though and i'm afraid my JS is so bad i can't even figure this out by myself lol.

I want to reduce clutter in my directories and want to put all the .js files in a subdirectory called ID which file would i need to amend to do this and what change would i need to make?

Many thanks Simon :)

Bolter99
02-12-2005, 05:29 AM
Hey, i just threw together a simple but really secure javascript.

Writes the usernames in a list (select tag). The usernames and passwords are stored in an Array in a javascript file witha a complex file name and some of the source code is heavily encrypted.

Here it is:

Click here for a live preview (http://www.freewebs.com/bolter99/loginscript/)

Click here to download this script. (http://www.freewebs.com/bolter99/loginscript.zip)

NOTE: Username: User01, Password: Pass01.

Kor
02-24-2005, 12:29 PM
Man, the secure and javascript are two opposite words. javascript was not design as a security language, thus it will be never ever suitable for a secure pass login. As any other client-side language the codes are loaded in the user's cache where from the user can see the codes and, sooner or later, will find the algorithm to decrypt. Man, it's so simple to understand that, yet so many people try and try again and again to square the circle, on and on... :D

ph30nix
03-22-2005, 05:55 AM
one thing i want to know about this.
How can i make it so anyone accessing the site doesnt know about what other pages there are. Because i obviously know the URL it redirects to, but how can i make it so that to view the page they need to login.

That might not have been clear.

say i have a downloads page, it has a login thing, no when i login it redirects to a page with a list of files to download, how can i make it so when it login in it has something like www.MYWEBSITE/download=<usermane> etc etc.

I guess you know what i mean by now, hiding the page , im thinking mabye this isnt possible using HTLM/JS, does someone know anyway to do it with PHP etc. Im willing to try and learn. :thumbsup: , as long as someone gives me a go.

Thanks in advance,
Ph30nIX

Phoenix1
04-06-2005, 03:02 PM
In auth.htm it searches *.js basically but having changed the .js to .dfsdfd it still works. if you have something like .gif it also works. Maybe this could add a little bit if security.

Ideas/Does the script...

?? - Create time out cookies?

Idea - search is conducted in a *.php file which has an include which brings in the *.password files. One more step away from detection and an extra language to go though.

Idea - Log each access attempt, username only as not want to leave passwords about!

idea - Change password after x amount of days?

idea - Make a valid looking list/website so hackers think they are in when they are not

Vapor
05-22-2005, 10:41 AM
I tried throwing that code into a free web host such as geocities or angelfire and I can't get it to work. Whenever I try to login, I get an error page from either geocities or angelfire. Is it something that can be fixed? Do I have to change the code at all?

glenngv
05-23-2005, 05:05 AM
Did you use the tool that whammy developed to create the password file automatically? His post is in page 4 of this thread.

Vapor
05-24-2005, 09:54 PM
Ok,

THis is exactly what I have done step by step

I downloaded all of whammys files. I then uploaded all of them on my geocities site. I tried to login in and I get an error page from geocities. I have also tried it on angelfire. I am not sure what to do. Here is the link to my site if you want to try it

http://www.geocities.com/christianfobian/login

If you try it, (just put something in the user and password form) you should get the auth.htm page that says authorization failed! in red letters.

All I did was take the straight code upload it and try logging in. Is there something I need to change?

Vapor
05-24-2005, 10:00 PM
now I feel kinda silly,

I just posted my last post and I got the blasted thing to work... PARTLY! I have it so that if I just randomly type info into the user and pass part of the form I get the authorization failed! in read letters page (auth.htm) NOW the problem is I cant login once I use the right username and password!

Any ideas?

Vapor
05-24-2005, 10:32 PM
Never mind, I played around with it for about an hour but I figured it out, thx though

:) :) :) :) :thumbsup:

Doodah
06-16-2005, 09:45 PM
Couldn't you use a cookie to validate that someone has logged on? and then have the cookie checked on "page.htm" or any subsequent pages. This would keep people from going around the login page, also adding the index.htm page to the user ID folder.

Ideas?

Doodah
06-18-2005, 12:53 AM
If anyone is interested I did add a cookie to this code and a redirect to the page.htm file. It does keep anyone from going to the page.htm file directly and the cookie expires immediately so anyone returning to the page from history should be blocked. I'm not a programmer, just a designer, so there may be bugs that I'm not aware of. I used an asp script that utilized this code, that's what made me think it should be possible to use it here.

If anyone sees a problem please let me know.

Thanks

doo :thumbsup:

pjf1985
09-21-2005, 11:29 AM
I am using the jslogin script that was posted in this topic. The script works great and does everything I want it to except for one thing. It directs to my secure/destination page that I want it to, but how do I make the destination page itself really secure so that it cannot just be viewed by typing in the URL to the page?

So for example, when the correct username and password is entered and it goes to the destination page:

http://www.mysite.com/myfolder/mypage.htm

But what is stopping someone from just entering that URL and bypassing the login?

Is there a way for me to properly secure the page or a folder and so I can still use this script? Would using .htaccess do the job? And if so, how would I go about it?

Thanks.

mw2005
09-21-2005, 04:44 PM
If you want a 99.9% secure page use .htaccess and not JavaScript (some servers do not allow it though)

Below is a link teaching you about .htaccess (if you don't already know how to use it)

http://www.javascriptkit.com/howto/htaccess.shtml

HTH

MW2005

dutycalls5609b
12-03-2005, 02:27 PM
Love the script, borg. And BTW for the skeptics, it works with all lowercase.

DR.Wong
12-22-2005, 04:39 PM
Hey guys. I am always looking for a good way to create a JS client side database.

By the looks of it, this is modifyable to create a client side database. Could you not modify the VB Script to ask questions.. such as a persons name and address. The Script makes the JS file that uses the persons name as the file name. Then use a page to display the persons other information from within the JS file?

This sounds completely logical to me... only I dont know much VB either... I may however be able to poke around with the script and change it to add more options.

One problem that seems to circle over and over in my head, is once you have the entire directory full of JS files, how would you bring up a list of them, so you could click on a users name and that pull out the info, without you having to manually index the directory.

Is it viable???

I really would like your input, this is troubling me!!!

Thanks alot and MERRY CHRISTMAS!!!!!!!:thumbsup: :cool:

Bolter99
12-23-2005, 12:38 AM
Mines better lol... uses encryption to hide the source of the passowrds and username list...

Ah well.

Bolter99
12-23-2005, 12:39 AM
Hey guys. I am always looking for a good way to create a JS client side database.

By the looks of it, this is modifyable to create a client side database. Could you not modify the VB Script to ask questions.. such as a persons name and address. The Script makes the JS file that uses the persons name as the file name. Then use a page to display the persons other information from within the JS file?

This sounds completely logical to me... only I dont know much VB either... I may however be able to poke around with the script and change it to add more options.

One problem that seems to circle over and over in my head, is once you have the entire directory full of JS files, how would you bring up a list of them, so you could click on a users name and that pull out the info, without you having to manually index the directory.

Is it viable???

I really would like your input, this is troubling me!!!

Thanks alot and MERRY CHRISTMAS!!!!!!!:thumbsup: :cool:
Well you could use a 3 dimensional array to do it...

DR.Wong
12-23-2005, 02:25 PM
I'm sorry, your words elude me.

What do you mean??

Is it possible?

If it is, then this could be great!!

Thanks Alot and Merry Christmas!!!:thumbsup: :)

jettlarue2003
12-29-2005, 07:25 PM
its not really a very good database since you can view anyones data with looking at the source. also an idea for the secure javascript login. someone should write an algorithm to encrypt the name you entered and the password so it would be jabble instead of having names. it wouldnt be too hardbut adding a couple of letters in it contains a 5 or stuff like that.

felgall
05-07-2006, 11:22 PM
1. That script requires that the "protected" page have a name that is related to the password that is entered.

2. Anyone who knows the destination page can get there without having to login first.

thesmart1
05-08-2006, 03:34 AM
Love the script. Seems preety secure against most users; I don't plan on using it to secure anything important. I've been looking casually for a password gate with several user names and of all the oones I've seen, this is by far the easiest. Good job!:)

Game_Master64
05-09-2006, 07:26 PM
yes, this is quite useful. problem is, i have no idea how to install it on freewebs. anyone know?

Thompson
05-11-2006, 04:32 PM
Nice script. IŽve run it in a php-linux host, it goes well.

It can be incremented with some security issues, like prevent the user from reach the target page without passing through login page.

I think the most skilled crackers would check if the login and password isnŽt the name of one of the pages in the server hehehe

The idea of hiding information that is passing trough fields with JScript and VBScript is quite nice, but iŽll never use it on a project, no matter how simple it is. :D :D

Whystara
06-18-2006, 12:40 PM
Hi,

I'm new to javascript & this forum, I want to use this script but am having a problem. I'm also not a html pro, but maybe you can offer advice. When I am making a custom index page with my login area, I add the code for the body into the body section of my html, but when I load the page the code for the login overrides everything else I coded before it and places the login in the upper left corner where my other code should be. Maybe this is a simple html thing, but i need help adding this script into my page. Could anyone please look at the way I have my login page set-up and tell me where to fit the body part of the script so it will work where I would like it to? Here is the address: www.starlight-myst.com/DD, you can send me an e-mail if you'd like.. to whystarasilvrain@aol.com otherwise I'll just look back in here.

Thank You!
~Whystara

Whystara
06-18-2006, 01:07 PM
Ok nevermind I figured it out LOL thanks anyway!

thesmart1
07-21-2006, 08:33 PM
W3Schools (http://www.w3schools.com/) has great tutorials.

Mike_Lamb
08-07-2006, 10:56 PM
I have placed the code within my logon site nut i cant seem to get it to work properly. It just passes me on to the blind.htm page in my site.

here is my code

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Admin Login</title>
<script type="text/javascript">
<!--
function authPass(u,p) {
if (u && p) self.location = "blind.htm?" + u + p;
return false;
}
// -->
</script>


<div id="Form">
<script type="text/javascript">
<!--
if (location.search.indexOf("auth=failed") != -1) {
document.write("<span style=\"color:#ff0000\">Authorization Failed!</span>");
}
// -->
</script>
<table width="273" border="0">
<tr>
<td width="267"><form id="login" action="javascript://" onSubmit="return authPass(this.user.value,this.pass.value)">
<div align="right"><span class="TxtHead">User Name:</span>
<input type="text" name="user">
</div>
<div align="right"><span class="TxtHead">Password:</span>
<input type="password" name="pass">
</div>
<div align="right">
<input type="Submit" value="Login">
</div>
</form></td>
</tr>
</table>
</div>

If any one can see what is wrong with my JScript then i would be very grateful. I have the .js file and it doesn't seem to check it help me please

GSimpson
08-13-2006, 10:03 AM
The vbs file created a new js file,
can you do that with js forms? thanks.

briand
08-28-2007, 01:14 PM
Is there anyway to lock the page.htm? Because if I just enter, example: www.codingforums.com/page.htm it allows me to see the page even though I not entered a username and password. Thanks for any help.

- Brian

liamwis
01-02-2008, 10:11 AM
Thanks borgtex. I couoldn't use php because i don't have it on my pc. This is brilliant. Everone says you can't get a secre login with javascript. but i just new you could.


THANKS BORGTEX

liamwis
01-02-2008, 10:15 AM
I think you havn't put the source of the .js file in
try doing this
<script language="text/Javascript" src="[location of the .js file"]
I hope that helps!

liamwis
01-02-2008, 10:29 AM
How do you make the Password Helper.vbs file let you have spaces and punctuation (e.g!,,). Because it dosn't!

kosstr12
01-10-2008, 12:19 PM
Thats a great script=] one of the best on the web

zoltros
12-04-2008, 09:34 AM
How do i change Auth.html:

var authstring = "<script type=\"text/javascript\" src=\"" + location.search.substring(1) + ".js\"><\/script>";

So that it looks for the file in a sub directory, or even a directory on another disk.??

jrp1
09-25-2009, 05:49 PM
I cant believe nobodys thanked him for this yet. +rep

jenpen
07-26-2010, 04:59 AM
This is so cool and easy for a JS noobie like me BUT my JS menu has disappeared - there seems to have been a conflict of some type. If anyone can think of a fix, here's my page:
http://indigoedge.com.au/epublish/client/index.html

and you can log in with Client, Digipub.
Thanks, Jen

jenpen
07-26-2010, 06:29 AM
Hey ignore that. I re-uploaded all files and now it's working fine. Must have missed something. Thanks anyway, it's a great little script for when it's not life-or-death security, just to make members feel special.

nate.hernandez9
03-04-2011, 09:24 PM
Thank you for this code, it really comes in handy.
unfortunately, i am not too savy using JS. and i was wondering what exactly i would write/change to have the users be put in there own folder within the current directory. For example, lets say i have everything in a folder named "site" and the users are scrambled within the folder along with the other pages. how do i put them in their own folder, called "users" for instance?

Shively-Mower
03-19-2011, 02:58 AM
What I would really like is to validate users via a look-up in a database already on the server, which seems to me to be a more secure method.

What code modifications does this script need.
Let's go with a table named passwords - how's that for imagination?
Field names would be User and Pass.
Keeping it simple, let's pretend it's an Access table in the /database directory.

One final totally armature question - where should I put this script within the web to assure that it only impacts access to the database application?

Thanks a 1,000,000 ± :)
Chuck

samaneh1d1
10-21-2012, 07:31 AM
I am not very familiar with js. Would someone explain me that how this login provides security?
thanks in advance.

keyboard1333
10-23-2012, 12:44 AM
Because you can't view all the files in a directory, the names (and therefor the correct username and password) are hidden.

The only way to login is to put in the correct username and password...

One easy way to crack this would be to just brute force the directory untill you find the files...

Philip M
10-24-2012, 10:15 AM
Because you can't view all the files in a directory, the names (and therefor the correct username and password) are hidden.

The only way to login is to put in the correct username and password...

One easy way to crack this would be to just brute force the directory untill you find the files...

Not easy! Not if the file is named CrazyStanierPurpleStarling781.js or whatever.

steveparkinson
11-27-2012, 03:12 PM
Oooops posted in the wrong place and can't see where to delete it...

Sorry

steveparkinson
11-27-2012, 03:15 PM
holy $*@&

i've been looking for a good password-gate-like thing for a loooooong time. this is awesome! i was about ready to post that i was having trouble, before i found out what to do. here's how i got it to work...

1) unzipped the files
2) uploaded ALL of them to my site
3) created a new "CoddingForums.js" page and renamed "CoddingForums"
4) in renamed "CoddingForums" page, paste all info from the text in the "CoddingForums.js" into the new, renamed page
5) thank borgtex for the awesome script

also, you've got to make sure the file name is "{Name}{Password}.js" no {}'s, no spaces, first letter of name and password is capitalized (or so i think. but i'm afraid to test). it works fine for me, doing the method above.

THANKS BORGTEX!!

I'm probably (no prabably about it!) really dumb, but I couldn't figure out how to get this thing working. Can anyone explain it better with examples?

I tried to put in

Username: john
password: smith

I modified the password field to hide the characters, which worked :-)

And I want it to point to a page called /johnsmith.html but when I do it it just comes back with "/auth.htm?johnsmith"

Imagine you are explaining this to a 5 year old lol...



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum