Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 25
  1. #1
    Regular Coder
    Join Date
    May 2005
    Posts
    220
    Thanks
    1
    Thanked 2 Times in 2 Posts

    Post I was told it couldn't be done and LOOK!

    I have spent some time trying to create a secure login on client side programming. I think I have completed my mission. Let me know if you can by pass the login to the data on the other side.


    Biblical Research Online
    Last edited by Vapor; 07-29-2005 at 06:34 AM.

  • #2
    Senior Coder
    Join Date
    Jul 2004
    Location
    New Zealand
    Posts
    1,315
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I have to say, that's quite clever. It wouldn't survive a brute-force attack, but to protect a Geocities site it seems good enough.
    Forget style. Code to semantics. Seperate style from structure, and structure from behaviour.
    I code to specs, and test only in Firefox (unless stated otherwise).

  • #3
    Senior Coder
    Join Date
    Feb 2003
    Location
    Ontario, Canada
    Posts
    1,223
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It's basically the same as the other JS password protection methods in that you just send them to password.html, except you include username_and_password.js which draws the secured content. It's not something people can crack without getting a directory index to see which files you have in your folders.

  • #4
    JPM
    JPM is offline
    Regular Coder
    Join Date
    Mar 2004
    Location
    Norway
    Posts
    204
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It seems safe enough for your site, but it could easily be passed by bruteforcing it or running a dictionary attack. You'd have to know someones username though, if not it would take a million years.
    <JPM />

  • #5
    Regular Coder
    Join Date
    Jun 2004
    Posts
    565
    Thanks
    0
    Thanked 18 Times in 18 Posts
    I wouldn't call your login secure. Several issues I can think of make such a script less attractive than a server-side login:

    1) Once you are logged in you are logged in. There is no "session expiration".
    2) You don't need to know the username and password. You only need to know the filename you are redirected after logging in.
    3) If you occasionally change the filename of the file, you are redirected to, for security reasons (I assume there is no other way to protect against brute force methods) you will break existing links and bookmarks
    4) You cannot set different "access levels/rights" for members

    dumpfi
    Last edited by dumpfi; 07-29-2005 at 05:15 PM.

  • #6
    Regular Coder
    Join Date
    May 2005
    Posts
    220
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Thank you,

    However,

    Your are correct on the session expiration and such, but I can make it so that you can not see what the page url is, thus, creating a dang near impossible crack unless you either know a username and password.

    However there is still that "brute force" that might get in. Althought there is no real sensitive info that is SUPER important

  • #7
    Master Coder mlseim's Avatar
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,386
    Thanks
    8
    Thanked 1,077 Times in 1,068 Posts
    and the "history" button on the browser?

    They would have to erase that every time if anyone else
    uses their computer.

  • #8
    Regular Coder
    Join Date
    May 2005
    Posts
    220
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Hmmmm,

    Good thinking! That history could be the main problem I face. Never thought about that. Then, anyone who used the same computer could see.

    Is there any kind of code you can stick in with the html to either hide or clear the history from being revealed?

  • #9
    Master Coder mlseim's Avatar
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,386
    Thanks
    8
    Thanked 1,077 Times in 1,068 Posts
    Vapor,

    What kind of information is on your member pages that needs to be secret?

    Knowing what the member pages look like might allow us to give you some
    more ideas. Better yet, create a fake member and give us the link to your
    site so we can see what it looks like.

  • #10
    New Coder
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    40
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Is this your members only page?

    http://www.geocities.com/biblicalres...ne/members.htm

    If so, change the file name, I guessed it on my first try.
    ARON

  • #11
    New Coder
    Join Date
    Aug 2005
    Location
    Kuwait-I'm American
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts
    this won't help bruteforcing, but a good idea if you don't want people looking over your shoulder at the url (which has the password in it), write the name of the target page in hex. that way, they won't remember the code (unless they have photographic memory)
    i'm only 12, gimme some slack

  • #12
    Regular Coder
    Join Date
    May 2005
    Posts
    220
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Great Idea!

    I was thinking about changing the pages to hex values earlier!

  • #13
    Regular Coder
    Join Date
    May 2005
    Posts
    220
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Alright!

    The new and even better site stands to this day! I have used hex values that complicate even brute force attacks! Generic names (such as members.htm, etc...) no longer stand. Making it very difficult to bypass.

    Thanks for the tips!

  • #14
    Regular Coder
    Join Date
    Jul 2005
    Posts
    352
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Are you going to post the code so others can use this as this is probably the BEST client-side login.

  • #15
    Senior Coder JamieR's Avatar
    Join Date
    Oct 2004
    Location
    United Kingdom
    Posts
    3,161
    Thanks
    0
    Thanked 5 Times in 5 Posts
    Any client side login isn't secure....I don't want to use it, lol.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •