For me I think that the weakness of this script is being able to see what files are on the server. You see one called CodingForums.js. You open it - and you have the url of the protected web page. YOu have just circumnavigated this security system. Indeed - u can even see the url of the protected webpage: page.html - on the server. Type this into your browser and there you have the protected web content.
So this brings me to my Q: how can you prevent someone from seeing all the filenames on your server (such that they can then type them into their browser and look at them)? IS this possible?
To repeat for clarity:
Even this really good script is vulnerable to persons looking at your filenames on the server.
Is there anyway that I can prevent persons from discovering the names of all the files on my server? Best,
1. When the auth.htm has to check if the Login+Password.js exists, the browser has to request the URL http://server/path/Login+Password.js from the web server.
This request is transmitted plaintext, so every sniffer could read it. And even worse, the web server logs this request plaintext in his log. So the HTTP BASIC AUTH is better, because the password is not logged.
2. How do you difference user "Neo",password "Matrix" and the user "NeoM", password "atrix" ???
The only "secure" way (beside SSL) is, to hash the password with md5 or sha1 and to verify the hashed password on server side. And don't forget to include a salt, do make brute force attacks more difficult.
this is one hell of a script. very good stuff with some incredible diversity and functionality. i might have to use this one...though i dont have anything on my website that would require someone to need a user name and password...hahahaha. oh well...maybe in the future. very cool stuff though amigo
one thing i want to know about this.
How can i make it so anyone accessing the site doesnt know about what other pages there are. Because i obviously know the URL it redirects to, but how can i make it so that to view the page they need to login.
That might not have been clear.
say i have a downloads page, it has a login thing, no when i login it redirects to a page with a list of files to download, how can i make it so when it login in it has something like www.MYWEBSITE/download=<usermane> etc etc.
I guess you know what i mean by now, hiding the page , im thinking mabye this isnt possible using HTLM/JS, does someone know anyway to do it with PHP etc. Im willing to try and learn. , as long as someone gives me a go.