For me I think that the weakness of this script is being able to see what files are on the server. You see one called CodingForums.js. You open it - and you have the url of the protected web page. YOu have just circumnavigated this security system. Indeed - u can even see the url of the protected webpage: page.html - on the server. Type this into your browser and there you have the protected web content.
So this brings me to my Q: how can you prevent someone from seeing all the filenames on your server (such that they can then type them into their browser and look at them)? IS this possible?
To repeat for clarity:
Even this really good script is vulnerable to persons looking at your filenames on the server.
Is there anyway that I can prevent persons from discovering the names of all the files on my server? Best,
Another way you can do it is with .htaccess If you have that option, which many hosts do at least limited support. You can have a .htaccess file that has IndexIgnore * in it which should prevent indexing. A good resource for this: http://www.javascriptkit.com/howto/htaccess11.shtml
1. When the auth.htm has to check if the Login+Password.js exists, the browser has to request the URL http://server/path/Login+Password.js from the web server.
This request is transmitted plaintext, so every sniffer could read it. And even worse, the web server logs this request plaintext in his log. So the HTTP BASIC AUTH is better, because the password is not logged.
2. How do you difference user "Neo",password "Matrix" and the user "NeoM", password "atrix" ???
The only "secure" way (beside SSL) is, to hash the password with md5 or sha1 and to verify the hashed password on server side. And don't forget to include a salt, do make brute force attacks more difficult.
this is one hell of a script. very good stuff with some incredible diversity and functionality. i might have to use this one...though i dont have anything on my website that would require someone to need a user name and password...hahahaha. oh well...maybe in the future. very cool stuff though amigo
Just like to say superb and simple script, am finding it very useful already. I have a question though and i'm afraid my JS is so bad i can't even figure this out by myself lol.
I want to reduce clutter in my directories and want to put all the .js files in a subdirectory called ID which file would i need to amend to do this and what change would i need to make?
Hey, i just threw together a simple but really secure javascript.
Writes the usernames in a list (select tag). The usernames and passwords are stored in an Array in a javascript file witha a complex file name and some of the source code is heavily encrypted.
Man, the secure and javascript are two opposite words. javascript was not design as a security language, thus it will be never ever suitable for a secure pass login. As any other client-side language the codes are loaded in the user's cache where from the user can see the codes and, sooner or later, will find the algorithm to decrypt. Man, it's so simple to understand that, yet so many people try and try again and again to square the circle, on and on...
one thing i want to know about this.
How can i make it so anyone accessing the site doesnt know about what other pages there are. Because i obviously know the URL it redirects to, but how can i make it so that to view the page they need to login.
That might not have been clear.
say i have a downloads page, it has a login thing, no when i login it redirects to a page with a list of files to download, how can i make it so when it login in it has something like www.MYWEBSITE/download=<usermane> etc etc.
I guess you know what i mean by now, hiding the page , im thinking mabye this isnt possible using HTLM/JS, does someone know anyway to do it with PHP etc. Im willing to try and learn. , as long as someone gives me a go.
In auth.htm it searches *.js basically but having changed the .js to .dfsdfd it still works. if you have something like .gif it also works. Maybe this could add a little bit if security.
Ideas/Does the script...
?? - Create time out cookies?
Idea - search is conducted in a *.php file which has an include which brings in the *.password files. One more step away from detection and an extra language to go though.
Idea - Log each access attempt, username only as not want to leave passwords about!
idea - Change password after x amount of days?
idea - Make a valid looking list/website so hackers think they are in when they are not
Before you post, read our: 
, as long as someone gives me a go.
