I was told it couldn't be done and LOOK!

Vapor · 07-29-2005, 06:27 AM

I have spent some time trying to create a secure login on client side programming. I think I have completed my mission. Let me know if you can by pass the login to the data on the other side.

Biblical Research Online

hemebond · 07-29-2005, 08:12 AM

I have to say, that's quite clever. It wouldn't survive a brute-force attack, but to protect a Geocities site it seems good enough.

AaronW · 07-29-2005, 03:15 PM

It's basically the same as the other JS password protection methods in that you just send them to password.html, except you include username_and_password.js which draws the secured content. It's not something people can crack without getting a directory index to see which files you have in your folders.

JPM · 07-29-2005, 03:51 PM

It seems safe enough for your site, but it could easily be passed by bruteforcing it or running a dictionary attack. You'd have to know someones username though, if not it would take a million years.

dumpfi · 07-29-2005, 05:10 PM

I wouldn't call your login secure. Several issues I can think of make such a script less attractive than a server-side login:

1) Once you are logged in you are logged in. There is no "session expiration".
2) You don't need to know the username and password. You only need to know the filename you are redirected after logging in.
3) If you occasionally change the filename of the file, you are redirected to, for security reasons (I assume there is no other way to protect against brute force methods) you will break existing links and bookmarks
4) You cannot set different "access levels/rights" for members

dumpfi

Vapor · 07-30-2005, 12:42 AM

Thank you,

However,

Your are correct on the session expiration and such, but I can make it so that you can not see what the page url is, thus, creating a dang near impossible crack unless you either know a username and password.

However there is still that "brute force" that might get in. Althought there is no real sensitive info that is SUPER important

mlseim · 07-30-2005, 02:09 AM

and the "history" button on the browser?

They would have to erase that every time if anyone else
uses their computer.

Vapor · 08-01-2005, 03:45 PM

Hmmmm,

Good thinking! That history could be the main problem I face. Never thought about that. Then, anyone who used the same computer could see.

Is there any kind of code you can stick in with the html to either hide or clear the history from being revealed?

mlseim · 08-01-2005, 04:17 PM

Vapor,

What kind of information is on your member pages that needs to be secret?

Knowing what the member pages look like might allow us to give you some
more ideas. Better yet, create a fake member and give us the link to your
site so we can see what it looks like.

Untitled · 08-03-2005, 05:51 AM

Is this your members only page?

http://www.geocities.com/biblicalres...ne/members.htm

If so, change the file name, I guessed it on my first try.

ianmarlowe · 08-03-2005, 06:01 AM

this won't help bruteforcing, but a good idea if you don't want people looking over your shoulder at the url (which has the password in it), write the name of the target page in hex. that way, they won't remember the code (unless they have photographic memory)

Vapor · 08-03-2005, 03:11 PM

Great Idea!

I was thinking about changing the pages to hex values earlier!

Vapor · 08-03-2005, 03:52 PM

Alright!

The new and even better site stands to this day! I have used hex values that complicate even brute force attacks! Generic names (such as members.htm, etc...) no longer stand. Making it very difficult to bypass.

Thanks for the tips!

mw2005 · 08-04-2005, 10:36 AM

Are you going to post the code so others can use this as this is probably the BEST client-side login.

JamieR · 08-04-2005, 11:06 AM

Any client side login isn't secure....I don't want to use it, lol.