Secure Login with javascript - Page 2

relyt · 01-23-2003, 07:02 PM

i tried that. it just tells me "unable to find server" when i do it.

CrUdE · 01-28-2003, 01:02 PM

is it possible u gave the incorrect or incomplete url he has to get by submitting the login info?

whammy · 01-29-2003, 01:09 AM

BTW, I meant to comment on this before, but this is a pretty ingenious solution to client-side password protection.

tempest1 · 01-31-2003, 07:08 PM

Simple, clear your cache before you try to break your site. And then after you "cant" get through you browse your temp internet folders. Nothing in javascript is secure, nothing.

whammy · 02-01-2003, 08:16 PM

Apparently, tempest1, you didn't see how the scripts works... if the correct username and password isn't typed in, there's no javascript library to include - therefore, there is nothing in your cache to reveal a username and/or password.

You can look at the html all you want.

About as simple and secure as you can get with client-side scripting.

tempest1 · 02-02-2003, 04:54 AM

if its client side its cached.

Borgtex · 02-02-2003, 11:13 AM

Person A wants to access page X and knows the password: the .js is called and cached in his computer, ok

Person B wants to access the same page X but it doesn't knows the password: The .js is never requested and consequently not cached in his computer

if person B looks at person A computer, he can discover the password or at least page X name

so the limitation of the script is that it's not very secure (like all client-side solutions) in a network or a public environment, where more than a person can access the same computer.

But as a individual user, it doesn't seems very probable that person A allows person B to use his computer to steal the code

whammy · 02-02-2003, 05:00 PM

Borgtex, I have modified the script to make it XHTML 1.1 compliant, and instead of using the "BadPassword.htm" page, if not authorized, the user is sent back to the login page with an "Authorization Failed!" message.

With your permission (and credits intact, of course - actually I wouldn't mind if you supplied some better credits!), I would like to post the script on my site, as well.

Here it is.

Borgtex · 02-02-2003, 05:20 PM

Quote:

Originally posted by whammy
Borgtex, I have modified the script to make it XHTML 1.1 compliant, and instead of using the "BadPassword.htm" page, if not authorized, the user is sent back to the login page with an "Authorization Failed!" message.

With your permission (and credits intact, of course - actually I wouldn't mind if you supplied some better credits!), I would like to post the script on my site, as well.

Here it is.

Nice! and of course you can post it in your site.

I'll PM you the credits

whammy · 02-02-2003, 05:24 PM

whammy · 02-08-2003, 11:26 AM

Borgtex, you have the honor of being the first person besides me to have a script posted on my website!

http://www.solidscripts.com/displayscript.asp?sid=15

ca_redwards · 02-08-2003, 05:28 PM

On my resume page, I have had the same password scheme in use for four years.

Basically, whatever the user types in is taken as the pathless/extensionless filename of an image. If the user-named image loads successfully, then the browser is forwarded to a web page of the same name.

Code:

<script language=javascript>
function imgError() 
{ alert('Sorry, that is not correct.'); 
  document.enter.password.value='';
}
function imgLoad() { window.location=this.password+'.html'; }
function tryit() 
{ var I = new Image(1,1) 
I.onerror=imgError;
I.onload= imgLoad;
I.password=document.enter.password.value;
I.src='images/'+I.password+'.gif';
}
</script>
<form name=enter><input type=password name=password><input type=submit value=login></form>

Basically, if you don't know the password, this script doesn't know what page to display!

kwhubby · 02-10-2003, 01:18 AM

one problem with this script, is that if someone uses this on a computer, anybody can than go onto that computer and look at the history and go to the personal page, wich, if the password was what that person always uses, would let the unwanted know there password. and you could also look at index.dat if the history was simply deleated.

whammy · 02-11-2003, 03:19 AM

Well, it's a client-side script. Of course that's a drawback. If you're trying to say it's better to use server-side scripting for logins, of course you're right.

But like I said, this is the best client-side script I've seen. ca_redwards' script uses the same idea, but it's not as easily modified by newbies, and it also uses the image name as the "redirect" file name, instead of allowing you to modify the URL as Borgtex's script does (which also allows for multiple users very easily)... so Borgtex's script wins handily by it's simplicity and "security" (what there can be in client-side scripting), in my opinion.

hallj999 · 03-03-2003, 05:56 PM

when i enter my username and pass word and click login, the page next page when loading displays http://myweb.tiscali.co.uk/streetracer/chkpwd undefined password. then it wont load the page and a cannot find server error comes up
whats that about and how do i fix it, joe