Simple javascript cookie

Burpee · 07-31-2012, 02:09 PM

Hello! I not too familiar with JavaScript, so please bear with me.

I'm trying to secure a webpage to make it accessible by specific computers only. Though I'm sure there are many (and probably better) ways to to this, I wanted to do it using cookies. My idea was to write an if...else statement, in which you will be redirected to another page (let's say "blocked.html") if you do not have the required cookie. The information that is stored in the cookie is completely irrelevant; what matters is that the computer/browser has it.

For setting the cookie, I didn't have anything specific in mind. My idea was to just make another page with two buttons: one to set the cookie and one to erase it. I would take this page down after I set the cookie on the machines I wanted to specify.

As I said, I know there are probably better ways to do this using different languages and such, but I would appreciate if someone could help me work this out with cookies in JavaScript. I sincerely appreciate any replies; feel free to ask me for any additional information if you have questions.

Thanks in advance!

Philip M · 07-31-2012, 03:55 PM

Cookies have been covered very many times in this forum - try using the search feature for examples.

This is not a good way to restrict access to certain users only. As you say, there are other and better methods. Users may disable Javascript in their browsers and thus by-pass your "security".

Do you wish to restrict access to certain users or certain machines?

Quizmaster: If something in dispute is divided equally, it is referred to as splitting the ... what?
Contestant: Atom.

Burpee · 08-01-2012, 03:58 PM

Quote:

Originally Posted by Philip M

Cookies have been covered very many times in this forum - try using the search feature for examples.

This is not a good way to restrict access to certain users only. As you say, there are other and better methods. Users may disable Javascript in their browsers and thus by-pass your "security".

Do you wish to restrict access to certain users or certain machines?

Quizmaster: If something in dispute is divided equally, it is referred to as splitting the ... what?
Contestant: Atom.

Aye, I figured as much, but I was hoping to get help that's a bit more specific. And thank you for your prompt response; it is much appreciated.

Thanks for the tip! I completely forgot about the possibility of disabling JavaScript in the browser.

Ideally, I'd like to restrict access to certain machines. The webpage isn't going to have heavy traffic, and it won't even have a link to it from anywhere else on the website (or period). There will be maybe 5-10 machines, at the most, that I'd like to have access to the page.

Philip M · 08-01-2012, 04:46 PM

As anything involving Javascript can be nullified simply by disabling Javascript in the browser, you need to use a server-side solution such as htaccess.

You can restrict access to authorised persons simply by redirecting to a page which has the same url as the "password" entered.

Code:

Enter password <input type = "password" id = "pwd" onblur = "redirect()">

<script type = "text/javascript">

function redirect() {
var url = document.getElementById("pwd").value;  // example: secret
url = url + ".html";
window.location.href = url;  // secret.html;
}

</script>

Another way to restrict access to certain machines is to store the redirect url (var myurl = "secret.html") in an external .js file on those machines you want to authorise, and then simply

<script type = "text/javascript">
window.location.href = myurl;
</script>

This assumes you have physical access to the machines so that you can install the .js file. This method is not secure but obviously only machines on which the redirect url is stored will be able to make the redirect. This assumes that the url is unguessable and is not "leaked" by your users. People who know the url can obviously go there directly. You will probably have the change the url fairly frequently.

Notice that you must redirect to the secret page from the initial page, not the other way round (not redirect from the secret page to "blocked.html").

But does it really matter if some unauthorised person is able to access your page?