Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Circumnavigating javascript password system

    I wish to know whether there is anyway for a website visitor to find the .html filename of all webpages on that website. Even those that they cannot get to because they are behind a login page that they do not have the password for.
    The relevance of this question to my current work is that I am trying to implement a javascript password system:
    ----------------------------------------
    PASSWORD SCRIPT
    ------------------
    If a visitor wants to go the the password protected page, they must first enter the correct password on the previous page. (Note: The password is the protected filename without the .html ending.)
    This method is secure as long as the person cannot find out the name of all the files on your server. Is it possible to stop them knowing the names of all the files on my server?
    ---------------------------------------
    <BODY>

    <SCRIPT LANGUAGE="JavaScript">
    var password = ''
    password=prompt('Please enter your password:','');
    if (password!= null) {
    location.href= password + ".html";
    }
    </SCRIPT>

    </BODY>

    So my question is:

    Is it possible for a website viewer to see all the filenames on my server? Perhaps to bring up some kind of index to see all the filenames on my server?

    If so they would be able to crack this password system. Tragedy!

    By the way - I know that server side is the way to go for security - but just humour me. I am trying to do it with javascript.

    Would really appreciate some advice. Thanks guys.

  • #2
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    password issues

    From the research I have done on the web - a fair proportion of people that use javascript for password protection of pages think that the following is the best (worth a look - is quite interesting):

    Secure Login with javascript

    I realise that the script that I posted in my last post was a bit simplistic. But even this really good script (follow the link) is vulnerable to persons looking at your files on the server.

    So, to re-ask my Q:

    Is there anyway that I can prevent persons from discovering the names of all the files on my server? Best,

  • #3
    Regular Coder
    Join Date
    Jul 2002
    Location
    Kansas, USA
    Posts
    477
    Thanks
    0
    Thanked 51 Times in 50 Posts
    Depending on how the webserver is set up Borgtex's system is safe enough for non-commercial projects. As long as the directory containing the LoginPassword.js files is "protected" by an index.html page. If you have access to the server you could turn indexes off, this would also protect the .js files.

  • #4
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    RE:your javascript password script

    "As long as the directory containing the LoginPassword.js files is "protected" by an index.html page."

    What do you mean by "protected"? Some people have said to me that creating an index.html page is enough to protect a directory - doesn;t matter what is on it. Just its pure existance is a defence as it stops people creating their own index.html to see the files in the directory. Is this true? Am I on the right track?

  • #5
    Senior Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    1,137
    Thanks
    0
    Thanked 0 Times in 0 Posts
    like a .htaccess refer check would protect it, so if it wasn't your website accessing it, it would prompt for a password.

    I have a program that can download your entire site, all the files and folders, that are accessable so could probably by pass it if required.

    scroots
    Spammers next time you spam me consider the implications:
    (1) that you will be persuaded by me(in a legitimate mannor)
    (2)It is worthless to you, when i have finished

  • #6
    Regular Coder
    Join Date
    Jul 2002
    Location
    Kansas, USA
    Posts
    477
    Thanks
    0
    Thanked 51 Times in 50 Posts
    What I meant by "protected" is exactly that. It essentially hides your files from casual browsing, but you need server-side to really protect anything.

  • #7
    fci
    fci is offline
    Senior Coder
    Join Date
    Aug 2004
    Location
    Twin Cities
    Posts
    1,345
    Thanks
    0
    Thanked 0 Times in 0 Posts
    well.. one way to see if something got indexed on your site is to google it, ie,
    http://www.google.com/search?num=100...om&btnG=Search
    The search term was:
    site:http://www.codingforums.com
    I believe you can tell spiders not to index your site(in robots.txt) but it's not something I've ever been concerned about.

    I recommend something serverside if you want to really protect your stuff.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •