Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New to the CF scene
    Join Date
    Mar 2013
    Location
    UK
    Posts
    5
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Password protect my website

    Hello,
    Being a complete novice to both javascript and building a website I have used a freebie program called Webdwarf by Virtual Mechanics to produce a simple website.

    Rather than utilise Youtube, the aim of this website is to enable family and friends to go onto the website and select and play videos / photos.

    So I have now built the website and loaded it up to my ISP using Filezilla FTP client and it works ok.

    When in Filezilla the directory structure looks as follows:

    Top folder = /htdocs
    Within this folder exist more sub folders = _zisp, contact, geometry, image and media.

    My aim now is to ensure the website is private by adding a password to access the website. Searching the web via google I found the following article, which described a method / code that appealed to me.
    Here’s the link = http://tashian.com/htmlguide/password.html

    I tried out the lazysnake link test from this article and then created via notepad my own xxxxx.html, pasted the code from the article into the xxxxx.html file.
    Then changed
    location.href = 'http://www.changethis.com/~you/' + escape(pwd) + '.html';
    to
    location.href = 'http://www.travelbuddies.webspace.virginmedia.com/' + escape(pwd) + '.html'

    Note: I did not include “~you/” part in the change to my website link, as I thought this referred to a folder on the www.changethis.com website .

    I then saved the xxxxx.html file in a folder on my “c” drive.
    I then tried to test the xxxxx.html by opening it using windows explorer as follows:.
    I right clicked to open the file. The screen page with “you must have a password to enter this site! Together with Enter Site button appeared.
    I then clicked on the Enter Site button and the script prompt box appeared in the top left of the screen.
    I keyed the password i.e. xxxxx and clicked on OK.
    The screen refreshed with PWP - 404 Error This Page Cannot Be Found.

    I tried adding the “~you/” and go the same result.

    I then did an ftp load of the xxxxx.html to /htdocs folder on my website and immediately opened my website. No new screen appeared (i.e. you must have a password etc”.

    So I think I’ve got the coding correct for the xxxxx.html file but I’ve obviously not understood this process re linking the file to the existing website.

    Would appreciate any advice, preferably a set by step guide on how to achieve password protection.

    Hope this makes sense and look forward to any advice you have to offer.
    Thank you.

  • #2
    Senior Coder jmrker's Avatar
    Join Date
    Aug 2006
    Location
    FL
    Posts
    3,087
    Thanks
    38
    Thanked 498 Times in 492 Posts
    Javascript is a very poor choice for password protection.

    Anyone doing a left-click on the program will get a "view source" choice
    which allows anyone who can read have access to your password(s) to the site.
    You can hide it, but most can find it. Password protection in JS is for minimal security.

    Best password protection is achieved on your server.
    Check with your ISP for their recommendations to this problem.

  • #3
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,037
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    This suggested method is in fact perfectly adequate for allowing only those who know the password to enter the site. That is, trusted family and trusted friends. It is fine unless money or money's worth is involved. No-one will spend a huge amount of effort to crack the password just to see some family photos. It relies on assigning a name to the redirect file which is the same as the password.

    You have probably not done this correctly. Let us assume that the password is "lazysnake".


    Code:
    Enter the password <input type = "password" id = "pwd" onblur = "go()">
    
    <script type = "text/javascript">
    
    function go() {
    var password = document.getElementById("pwd").value;  // the correct password is "lazysnake"
    password = password.toLowerCase();
    window.location.href = password + ".html"; // redirect is to lazysnake.html if that url exists
    }
    
    </script>
    So you must assign the name lazysnake.html to the file to which the user is redirected. That page will in turn allow users to redirect to the specific page(s) of the site which they require. Examples might be grandmasparty.html and ourholidayinfrance.html.

    If you want the full url then

    Code:
    window location.href = 'http://www.travelbuddies.webspace.virginmedia.com/' + password + '.html'
    This is pretty impregnable unless the password is something obvious. lazysnake729 will probably suffice. And of course the names of other files on your site must not be obvious or guessable either. But the weakness is that all users share the same password, so you cannot de-authorise one of them, and there is nothing to prevent one user from revealing the password to someone who you do not wish to authorise.

    Also, if an incorrect password is entered the user will receive no warning but rather a 404 error and must start over (go back).
    Note that Javascript prompts are obsolete.

    A more sophisticated Javascript password protection system (which is pretty secure) may be found at Secure Login with javascript.
    This allows each user to have a separate login/password and means that a particular user may be de-authorised. But you may never know that someone has revealed his password.

    Be aware that all these client-side password protection scripts are not very secure in a network or a public environment, where more than a person can access the same computer. A lot depends on how badly you want to prevent unauthorised persons viewing your photos. If your uncle accesses the site using his office computer at work, other users of that computer can find out the magic url.


    "I am not a vegetarian because I love animals; I am a vegetarian because I hate plants." - A. Whitney Brown.


    Edit: It has been pointed out to me that my comment "No-one will spend a huge amount of effort to crack the password just to see some family photos" may be a little innocent. Out there there are paedophiles who actively seek out photos of young children, and may even circulate them among themselves. Of course, if one paedophile cracks the password, then he will soon pass it on to his friends through murky websites. So perhaps stronger protection (i.e server-side authentication) is in fact required.
    You must emphasise to your family members the significant dangers of revealing the password(s). Too easily done! "Hey Tom, you can look at our great holiday photos. Just log-in at mysite.com with the password xyz".

    Last edited by Philip M; 03-18-2013 at 06:39 PM. Reason: Noticed typos

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • Users who have thanked Philip M for this post:

    travelbuddy (03-18-2013)

  • #4
    New to the CF scene
    Join Date
    Mar 2013
    Location
    UK
    Posts
    5
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Many thanks jmrker. Unfortunately my ISP does not provide password protection.

  • #5
    New to the CF scene
    Join Date
    Mar 2013
    Location
    UK
    Posts
    5
    Thanks
    1
    Thanked 0 Times in 0 Posts
    My thanks to PhilipM and appreciate your comments and advice. Will pursue and post an update in due course.

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Unless you are using "free" hosting you should have several options available for implementing password protection.

    On apache web servers it only requires a couple of lines of code in the .htaccess and .htpassword files to password protect the entire site - if the control panel for the hosting doesn't provide an option to generate the lines of code automatically then they can be added manually.

    Another alternative is to use a CMS that has the password protection already built to build the site. There are quite a few free scripts available that handle photo galleries and can provide password protection.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #7
    New to the CF scene
    Join Date
    Mar 2013
    Location
    UK
    Posts
    5
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thank you felgall for your advice.
    Dear all, being a complete novice to all things associated with building this simple website i'm trying to start simple. So i've been tinkering (changed "location.href" to window.location.href) the code i first found on the website: http://tashian.com/htmlguide/password.html
    I've tested this and the only flaw in the function of the code (i have found) is that if the user keys an incorrect password, then the example file "lazysnake.html" is not found and therefore a default Error 404 page is returned to the user screen. I would therefore like to have another file say "incorrect.html" executed, which would provide a screen with my text i.e. containing a more meaningful and friendly instruction to family and friends. Back 30 years ago in cobol programming I would have inserted an If statement i.e. if lazysnake.html file found then window.location.href = the code etc
    Else windows.location.hef = incorrect.html
    Thank you again and would welcome advice on if this is possible or specific code to change the following:

    <HTML>
    <SCRIPT language="JavaScript"><!--
    function check() {
    // Prompt user for the password ...
    pwd = prompt('Enter password before continuing','');
    // ... then set the browser location. (change the line below this one!)
    window.location.href = 'http://www.xxxmysitexxx.webspace.virginmedia.com/passwordok/' + escape(pwd) + '.html';
    }
    // -->
    </SCRIPT>

    <HEAD>
    <TITLE>Site Entrance</TITLE>
    </HEAD>
    <BODY>
    <DIV align="center"><P>
    <FORM>
    <INPUT type="Button" onClick="check()" value="Enter Site">
    </FORM>
    </DIV>
    </BODY>
    </HTML>

  • #8
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,037
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    That is not possible client-side, as I explained previously. The password = url must not be visible, so it cannot appear in the Javascript or be compared with what the user entered. That is a weakness of client-side password scripts. It is not possible to customize your 404 error page if your web host has not enabled this facility for your website - as is the case with most free hosting services. However, commercial web hosts do usually provide this facility.

    Prompts are obsolete - use DOM methods (i.e. input boxes) to get input from the user.

    <script language=javascript> is long deprecated and obsolete. Use <script type = "text/javascript"> instead (in fact also deprecated but still necessary for IE<9).
    The <!-- and //--> comment (hiding) tags have not been necessary since IE3 (i.e. since September 1997). If you see these in some published script it is a warning that you are looking at ancient and perhaps unreliable code.

    I gave you a perfectly useable script in post #3. Why have you disregarded it?

    I do hope that you have taken on board the other comments I made. But I have the sad feeling that they are like water off a duck's back.
    Last edited by Philip M; 03-22-2013 at 04:27 PM.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #9
    New to the CF scene
    Join Date
    Mar 2013
    Location
    UK
    Posts
    5
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thank you Philip M, I did'nt mean to ignore your usable script in post #3, it's just that (spare my slow take-up) i've been trying more off than on to understand the original code, getting it to work and adding the learning curve stuff to my knowledge. I now intend to embark upon a tidy up of test versions and folders, followed by a further learning curve applying your feedback. Apologises if you felt your support has been running off a duck's back ..... far from it, it is most welcomed.

  • #10
    Regular Coder
    Join Date
    Jan 2013
    Location
    Germany
    Posts
    578
    Thanks
    4
    Thanked 77 Times in 77 Posts
    @ Philip

    Maybe this is an idea to customize the error page: Instead of just forwarding to the site the user entered as a password, make an Ajax request to it -- if it fails, display an error message; if it's successful, forward to that page.

  • #11
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,037
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    Quote Originally Posted by Airblader View Post
    @ Philip

    Maybe this is an idea to customize the error page: Instead of just forwarding to the site the user entered as a password, make an Ajax request to it -- if it fails, display an error message; if it's successful, forward to that page.
    That sounds like a very good idea. I have tried it and it works!

    It occurs to me that the point about paedophiles breaking into the site to view images of children really means that one should never place any picture of a child, however innocent, on any website (unprotected or not) in case a paedophile drools over it. That seems to me to be going too far.
    Last edited by Philip M; 03-23-2013 at 09:14 AM. Reason: typo

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #12
    Regular Coder
    Join Date
    Jan 2013
    Location
    Germany
    Posts
    578
    Thanks
    4
    Thanked 77 Times in 77 Posts
    Yes, and I do know a lot of people who think somewhat like that. I guess it's up to each person individually, but it's the same with terrorism and other things: Where do we draw the line and when do we let those people take control over our lives? Tough question. Personally, I just see it as the duty of a someone providing such a service to do their best to protect the data.

    I'd personally never consider leaving the internet to all those people. They'll find their ways anyway, all we can do is be as careful as possible. If you want to get an impression of what's "out there", just google "onion deep web" a bit and read around. I wouldn't recommend actually going there, I never did either. Visiting /b/ every once in a while is more than enough, and apparently it's nothing compared to onion.
    Last edited by Airblader; 03-23-2013 at 09:17 AM.

  • #13
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,037
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    Quote Originally Posted by Airblader View Post
    Yes, and I do know a lot of people who think somewhat like that. I guess it's up to each person individually, but it's the same with terrorism and other things: Where do we draw the line and when do we let those people take control over our lives? Tough question. Personally, I just see it as the duty of a someone providing such a service to do their best to protect the data.
    Hmmm. It is like many other things. It is sensible to lock your house against burglars, and proved a burglar alarm. It is not sensible or practical to make your house as impregnable as Fort Knox. The conclusion is that criminals will always win if their motivation is strong enough and they expect the 'reward' to outweigh the risks (which are pretty low on-line). The trick is to make it harder for them so that they will move on to an easier target. On that we probably are in agreement.

    I am afraid that I know nothing about the "deep web". I just don't want to know about that sort of thing. I must be incredibly boring. I'll get on with my model making - a totally harmless hobby.
    Last edited by Philip M; 03-23-2013 at 09:26 AM.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •