websrfr
05-04-2004, 12:46 AM
I don't have full access to the server that hosts my pages and thus the normal password protection mechanisms are not available to me (.htaccess & .htpasswd ). I also didn't need anything as sophisticated as multiple users or user/pass combinations.
I've looked through LOTS of postings on many sites and to me, most of them had one main drawback - the page _had_ to be named the same as the password (i.e. if the password was toyota, the "unlocked" page had to be named toyota.htm.
I've cobbled together an alternative - mostly by borrowing existing code and modifying it slightly.
I started with one of the best encryption mechanisms I'd seen http://javascriptkit.com/epassword/index.htm. Enter a password and click the "Generate pasword protect code" button at the bottom to see the code.
The 'magic' I added/changed is in the submitentry function.
The original code partially reads:
function submitentry(){
t3=''
verification=document.password1.password2.value
phase1=Math.ceil(Math.random())-6+(2<<2)
...
I wanted the user to be prompted to enter a password, rather than enter into a text field on a form (personal preference, it's not critical to how the script works) so I changed that section of code to be:
function submitentry(){
t3=''
var verification = prompt("What is the password?","")
// check to see if the user just clicked cancel
if ((verification == "")||(verification == null)) {
alert("You must enter a password to access the page")
return false
}
phase1=Math.ceil(Math.random())-6+(2<<2)
...
The rest of the 'magic' is at the bottom of the script and originally was:
...
if (indicate)
window.location=verification+extension
else
alert("Invalid password. Please try again")
}
and now is:
...
if (indicate)
return true
else
{
alert("Invalid password. Please try again")
return false
}
}
The reason I can just return is because I changed how the user access the password protected page:
<a href="filename.html" onClick="return submitentry();">Link Text</a>
If the user enters the wrong password or attempts to cancel the prompt box, it won't go to "filename.html", it'll just sit there.
For those of you saying "Ah, HA", I can just bypass this page and go directly to "filename.html". Not so fast, there's one more trick. In "filename.html" I added a check to see if the browser had just come from my password entry page and if not, redirect them back. This was done via:
<script>
if (document.referrer != "my_password_page.html") {
window.location.href="my_password_page.html"
}
</script>
This is also why I changed this to be initiated from a link (href) vs a form submit. Using window.location="filename.html" doesn't populate document.referrer and thus this check would fail.
As with most javascript-based password protection schemes, this one fails if the user turns off javascript.
Standard disclaimers apply, this worked for me on IE 6.0 on Windows, hopefully other platforms and browsers aren't problematic. Enjoy!
I've looked through LOTS of postings on many sites and to me, most of them had one main drawback - the page _had_ to be named the same as the password (i.e. if the password was toyota, the "unlocked" page had to be named toyota.htm.
I've cobbled together an alternative - mostly by borrowing existing code and modifying it slightly.
I started with one of the best encryption mechanisms I'd seen http://javascriptkit.com/epassword/index.htm. Enter a password and click the "Generate pasword protect code" button at the bottom to see the code.
The 'magic' I added/changed is in the submitentry function.
The original code partially reads:
function submitentry(){
t3=''
verification=document.password1.password2.value
phase1=Math.ceil(Math.random())-6+(2<<2)
...
I wanted the user to be prompted to enter a password, rather than enter into a text field on a form (personal preference, it's not critical to how the script works) so I changed that section of code to be:
function submitentry(){
t3=''
var verification = prompt("What is the password?","")
// check to see if the user just clicked cancel
if ((verification == "")||(verification == null)) {
alert("You must enter a password to access the page")
return false
}
phase1=Math.ceil(Math.random())-6+(2<<2)
...
The rest of the 'magic' is at the bottom of the script and originally was:
...
if (indicate)
window.location=verification+extension
else
alert("Invalid password. Please try again")
}
and now is:
...
if (indicate)
return true
else
{
alert("Invalid password. Please try again")
return false
}
}
The reason I can just return is because I changed how the user access the password protected page:
<a href="filename.html" onClick="return submitentry();">Link Text</a>
If the user enters the wrong password or attempts to cancel the prompt box, it won't go to "filename.html", it'll just sit there.
For those of you saying "Ah, HA", I can just bypass this page and go directly to "filename.html". Not so fast, there's one more trick. In "filename.html" I added a check to see if the browser had just come from my password entry page and if not, redirect them back. This was done via:
<script>
if (document.referrer != "my_password_page.html") {
window.location.href="my_password_page.html"
}
</script>
This is also why I changed this to be initiated from a link (href) vs a form submit. Using window.location="filename.html" doesn't populate document.referrer and thus this check would fail.
As with most javascript-based password protection schemes, this one fails if the user turns off javascript.
Standard disclaimers apply, this worked for me on IE 6.0 on Windows, hopefully other platforms and browsers aren't problematic. Enjoy!