View Full Version : I was told it couldn't be done and LOOK!

07-29-2005, 07:27 AM
I have spent some time trying to create a secure login on client side programming. I think I have completed my mission. Let me know if you can by pass the login to the data on the other side.

Biblical Research Online (http://www.geocities.com/biblicalresearchonline/)

07-29-2005, 09:12 AM
I have to say, that's quite clever. It wouldn't survive a brute-force attack, but to protect a Geocities site it seems good enough.

07-29-2005, 04:15 PM
It's basically the same as the other JS password protection methods in that you just send them to password.html, except you include username_and_password.js which draws the secured content. It's not something people can crack without getting a directory index to see which files you have in your folders.

07-29-2005, 04:51 PM
It seems safe enough for your site, but it could easily be passed by bruteforcing it or running a dictionary attack. You'd have to know someones username though, if not it would take a million years.

07-29-2005, 06:10 PM
I wouldn't call your login secure. Several issues I can think of make such a script less attractive than a server-side login:

1) Once you are logged in you are logged in. There is no "session expiration".
2) You don't need to know the username and password. You only need to know the filename you are redirected after logging in.
3) If you occasionally change the filename of the file, you are redirected to, for security reasons (I assume there is no other way to protect against brute force methods) you will break existing links and bookmarks
4) You cannot set different "access levels/rights" for members


07-30-2005, 01:42 AM
Thank you,


Your are correct on the session expiration and such, but I can make it so that you can not see what the page url is, thus, creating a dang near impossible crack unless you either know a username and password.

However there is still that "brute force" that might get in. Althought there is no real sensitive info that is SUPER important

07-30-2005, 03:09 AM
and the "history" button on the browser?

They would have to erase that every time if anyone else
uses their computer.

08-01-2005, 04:45 PM

Good thinking! That history could be the main problem I face. Never thought about that. Then, anyone who used the same computer could see.

Is there any kind of code you can stick in with the html to either hide or clear the history from being revealed?

08-01-2005, 05:17 PM

What kind of information is on your member pages that needs to be secret?

Knowing what the member pages look like might allow us to give you some
more ideas. Better yet, create a fake member and give us the link to your
site so we can see what it looks like.

08-03-2005, 06:51 AM
Is this your members only page?


If so, change the file name, I guessed it on my first try.

08-03-2005, 07:01 AM
this won't help bruteforcing, but a good idea if you don't want people looking over your shoulder at the url (which has the password in it), write the name of the target page in hex. that way, they won't remember the code (unless they have photographic memory)

08-03-2005, 04:11 PM
Great Idea!

I was thinking about changing the pages to hex values earlier!

08-03-2005, 04:52 PM

The new and even better site stands to this day! I have used hex values that complicate even brute force attacks! Generic names (such as members.htm, etc...) no longer stand. Making it very difficult to bypass.

Thanks for the tips!

08-04-2005, 11:36 AM
Are you going to post the code so others can use this as this is probably the BEST client-side login.

08-04-2005, 12:06 PM
Any client side login isn't secure....I don't want to use it, lol.

08-04-2005, 02:08 PM
If the code was posted I would only use it for a customised member page as if i needed to use something with personal information other than their name and email i would use a server side script but i think that people will use it if it was posted including me.

Tristan Gray
08-04-2005, 02:51 PM
Yeah, the only people who truly need protection will want to do it server-side unquestionably.

08-04-2005, 04:34 PM
Alright MW,

I will help you out.

Here is the code for the javascript client side login. (jslogin.zip)

BUT this is only part of making the site secure. Once you get the code up and running, turn the website into a frames page. That way, if someone views the source, they are going to view the frame pages source rather than the login page's source, which would have what web site the link will direct them too.

Along with this, do not name your members or secret pages simply names (ie. members.htm) otherwise, bruteforcing is easy. Instead, name each page for your members pages long numeric (you can include letters too) names. This way no one will ever guess.

one more thing

Use this javascript code

<a href="whatever.html" onMouseOver="window.status='';return true;" onMouseOut="window.status='';return true;"> Link text</a>

to hide where each link will take a person.

08-04-2005, 05:13 PM
Thank's for that :thumbsup:

08-04-2005, 06:45 PM
It's secure, but can only ever be secure once. If someone logs in and shares the link, it's going to be useless. Server-side checks can make sure you've logged in before showing the page. JS can too, but disabling JS would get anyone around that.

08-04-2005, 07:20 PM
Bruteforcers works for EVERYTHING, that has an obvious password XD
I would suggest using Octimals instead of hexidecimals
because I rarely see people use octimals and I would love it to be used (somehow)
and a good WPE Pro could just send a packet saying "I've logged in" and it would be accessed
but other than that nice job on the client-side passwords
one more thing...


08-04-2005, 09:29 PM

Well everyone needs a host...and everyone has to start somewhere.

08-05-2005, 09:45 AM
http://www.codingforums.com/showthread.php?t=10114 :confused:

08-05-2005, 05:21 PM
I used geocities to show the people who told me that I couldn't make a secure login that I could. I didn't want to pay just to proove them wrong.

08-05-2005, 05:24 PM
Stated by AaronW:

It's secure, but can only ever be secure once. If someone logs in and shares the link, it's going to be useless.

How would someone get my link? I have hidden the url from them. Not only that, but I have used massive, massive numbers to complicate the matter.

I highly doubt that it can be done, but I guess anything is possible.