473,385 Members | 1,764 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Password Script Improvements

Here's a simple script I have pulled from various sources and wondered if
there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.
Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password. I know this
is nor perfect and there is nothing critical behind the password protected
pages, but just wanted to shore it up a bit.

Thanks!

function PasswordLogin()
{
document.location.href = document.formlogin.password.value + ".htm";
return false;
}

function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;
if (code==13)
{
PasswordLogin();
event.returnValue = false;
}
}
Jul 23 '05 #1
10 1531
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
Here's a simple script I have pulled from various sources and wondered if
there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.
You need to have a 404 error page that does that.

Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password.
Set a cookie.

I know this
is nor perfect and there is nothing critical behind the password protected
pages, but just wanted to shore it up a bit.


Do it properly with .htaccess or a database.

--
Hywel

http://sponsorhywel.org.uk/
Jul 23 '05 #2
On Mon, 13 Sep 2004 12:39:23 -0400, Karl Burrows <kf**@spambellsouth.net>
wrote:
Here's a simple script I have pulled from various sources and wondered
if there was a way to improve it.
[snip]

Focusing on the script approach (though the server is better)...

[snip]
function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;
....you can improve this script by removing that bit of browser detection.
For a start, it doesn't help modern Gecko browsers that do use the which
property to identify the key. Secondly, browser detection is just a bad
idea. See the FAQ (4.26).

<URL:http://jibbering.com/faq/>
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;
Use:

if('number' == typeof event.which) {
code = event.which;
} else if('number' == typeof event.keyCode) {
code = event.keyCode;
}

instead. That way, you actually check what's supported, not what you can
infer from other, unrelated characteristics.
if (code==13)
{
PasswordLogin();
event.returnValue = false;
If you really want to make sure that the event is cancelled, then use
appropriate approaches, not just Microsoft's:

if(event.preventDefault) {
event.preventDefault();
} else if('undefined' != typeof event.returnValue) {
event.returnValue = false;
}
// Assuming that you'll pass the return code back properly
return false;
}
}


Hope that helps,
Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply by e-mail.
Jul 23 '05 #3
Do you have any examples of what I need to do?

"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
Here's a simple script I have pulled from various sources and wondered if there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.

You need to have a 404 error page that does that.

Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password.


Set a cookie.

I know this
is nor perfect and there is nothing critical behind the password

protected pages, but just wanted to shore it up a bit.


Do it properly with .htaccess or a database.

--
Hywel

http://sponsorhywel.org.uk/

Jul 23 '05 #4
In article <4M********************@bignews6.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
Here's a simple script I have pulled from various sources and wondered if there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.

You need to have a 404 error page that does that.

Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password.
Set a cookie.

I know this
is nor perfect and there is nothing critical behind the password

protected pages, but just wanted to shore it up a bit.


Do it properly with .htaccess or a database.

Do you have any examples of what I need to do?


No. Do you know how to use a search engine?

--
Hywel

http://sponsorhywel.org.uk/
Jul 23 '05 #5
I have and I pieced together this code from them. I just wanted to find a
way to make it a bit better. If you don't want to help and want to get
critical with me, don't reply to my post. I spent 3 hours researching ways
to do this (I very little JavaScript experience) and was pretty proud of
myself for being able to combine the coding I found to make something that
seemed to work. I just wanted advice and assistance to improve it to make
it more functional.

"Hywel" <hy**********@hotmail.com> wrote in message
news:MP************************@news.individual.ne t...
In article <4M********************@bignews6.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
> Here's a simple script I have pulled from various sources and wondered
if
> there was a way to improve it. First, if the type the wrong
password, I > would like to redirect them to another login page to tell them to

try again.

You need to have a 404 error page that does that.
> Second, I would like to figure otu a way to keep someone from just
> bookmarking pages behind the main page to bypass the password.

Set a cookie.
> I know this
> is nor perfect and there is nothing critical behind the password

protected
> pages, but just wanted to shore it up a bit.

Do it properly with .htaccess or a database.

Do you have any examples of what I need to do?


No. Do you know how to use a search engine?

--
Hywel

http://sponsorhywel.org.uk/

Jul 23 '05 #6
In article <mY*******************@bignews3.bellsouth.net>,
"Karl Burrows" <kf**@spambellsouth.net> wrote:
I have and I pieced together this code from them.
This is good.
I just wanted to find a
way to make it a bit better. If you don't want to help and want to get
critical with me, don't reply to my post.


Then do not post here. People are replying for free. Hire a consultant
if you need affirmation of your ideas.
I am curious why you cannot use the password saving methods in Netscape
7.2? Doesn't IE have a password saving method too? I didn't
understand why this wouldn't work.

Robert
Jul 23 '05 #7
Robert, it is just frustrating to ask for some direction and have someone
tell me to do a Google search. I help out in many newsgroups including
Outlook, XP, Excel, etc. I can't do it all and rely on your help as much as
others rely on mine. I don't expect anyone to do it for me, but sharing
resources and tips and tricks is the way to learn.

"Robert" <rc*******@my-deja.com> wrote in message
news:rc*****************************@news1.west.ea rthlink.net...
In article <mY*******************@bignews3.bellsouth.net>,
"Karl Burrows" <kf**@spambellsouth.net> wrote:
I have and I pieced together this code from them.


This is good.
I just wanted to find a
way to make it a bit better. If you don't want to help and want to get
critical with me, don't reply to my post.


Then do not post here. People are replying for free. Hire a consultant
if you need affirmation of your ideas.
I am curious why you cannot use the password saving methods in Netscape
7.2? Doesn't IE have a password saving method too? I didn't
understand why this wouldn't work.

Robert

Jul 23 '05 #8
Thank you for your help!!!

"Michael Winter" <M.******@blueyonder.co.invalid> wrote in message
news:opseagv1gsx13kvk@atlantis...
On Mon, 13 Sep 2004 12:39:23 -0400, Karl Burrows <kf**@spambellsouth.net>
wrote:
Here's a simple script I have pulled from various sources and wondered
if there was a way to improve it.


[snip]

Focusing on the script approach (though the server is better)...

[snip]
function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;


...you can improve this script by removing that bit of browser detection.
For a start, it doesn't help modern Gecko browsers that do use the which
property to identify the key. Secondly, browser detection is just a bad
idea. See the FAQ (4.26).

<URL:http://jibbering.com/faq/>
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;


Use:

if('number' == typeof event.which) {
code = event.which;
} else if('number' == typeof event.keyCode) {
code = event.keyCode;
}

instead. That way, you actually check what's supported, not what you can
infer from other, unrelated characteristics.
if (code==13)
{
PasswordLogin();
event.returnValue = false;


If you really want to make sure that the event is cancelled, then use
appropriate approaches, not just Microsoft's:

if(event.preventDefault) {
event.preventDefault();
} else if('undefined' != typeof event.returnValue) {
event.returnValue = false;
}
// Assuming that you'll pass the return code back properly
return false;
}
}


Hope that helps,
Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply by e-mail.

Jul 23 '05 #9
Karl Burrows wrote:
Here's a simple script I have pulled from various sources and wondered if
there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.
Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password. I know this
is nor perfect and there is nothing critical behind the password protected
pages, but just wanted to shore it up a bit.

Thanks!

function PasswordLogin()
{
document.location.href = document.formlogin.password.value + ".htm";
return false;
}

function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;
if (code==13)
{
PasswordLogin();
event.returnValue = false;
}
}


Using document.layers to determine that the browser is Netscape 4 and then using
that information to determine whether to use event.which or event.keyCode is
what is called "browser detection" and although it is probably a safe choice in
this case, it's best to use "feature detection". That is, test for the feature
you want before using it, rather than basing your decision on some arbitrary
object or property you think is only available in a particular browser. In your
case, this would make your code:

<script type="text/javascript">
function checkEnter(e) {
var key;
if (e && e.which) {
key = e.which;
} else if (event.keyCode) {
key = event.keyCode;
}
if (key == 13) {
// alert(document.forms['formlogin'].elements['pwInput'].value);
window.location.href = document.forms['formlogin'].elements['pwInput'].value +
".htm";
}
return true;
}
</script>
<form name="formlogin">
<input type="password" name="pwInput" value="" onkeydown="return
checkEnter(event);">
</form>

There's no reason to create PasswordLogin(). There's no reason to set
event.returnValue, since if key == 13, you are navigated off the page, no
JavaScript should execute after you set window.location.href. Note also that
it's window.location.href. document.location works, but it is deprecated.

There is no way of preventing someone from bookmarking the target page and
simply returning to it later, bypassing your elaborate security system. You
could attempt to test document.referrer in the "secured" page and if it's not
your security form, redirect back to your security form. But disabling
JavaScript would resolve that problem fairly quickly. Not to mention, if they
have the "secured" page bookmarked, it would just be a matter of typing in the
filename they already know.

As many have said, the only way to secure something is on the server. If you run
apache, you can do this with .htaccess:

<FilesMatch ".+">
# meet any condition for any file
Satisfy Any

Order Deny,Allow
# Deny everybody
Deny from All
# Allow local LAN users without auth - can be omitted
Allow from 192.168

# file to obtain user data from, may be different on your system
AuthUserFile /usr/local/www/data/.htpasswd
AuthGroupFile /dev/null
AuthName "Information you want on the browser auth dialog"
AuthType Basic

Require valid-user
</FilesMatch>
# ran into a problem... allow from 192.168 was showing .ht* files
# this FilesMatch directive prevents that; there is a FilesMatch
# directive in httpd.conf, but the allow from 192.168 above seems to
# override it or something
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

(just noticed I can probably trim that down to a single <FilesMatch> directive:
<FilesMatch "^[^\.ht]">, but since I haven't tested this I'd stick with what
I've got above, which I know works)

and .htpasswd:

# to create the first one
htpasswd -c /usr/local/www/data/.htpasswd myusername mypassword
# to add more
htpasswd -b /usr/local/www/data/.htpasswd someoneelse theirpassword

Documentation for doing authentication in Apache is available at <url:
http://httpd.apache.org/docs/howto/auth.html />

--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq

Jul 23 '05 #10
In article <mY*******************@bignews3.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP************************@news.individual.ne t...
In article <4M********************@bignews6.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
> In article <l2*********************@bignews6.bellsouth.net> , Karl
> Burrows says...
> > Here's a simple script I have pulled from various sources and wondered if
> > there was a way to improve it. First, if the type the wrong password, I > > would like to redirect them to another login page to tell them to try again.
>
> You need to have a 404 error page that does that.
>
>
> > Second, I would like to figure otu a way to keep someone from just
> > bookmarking pages behind the main page to bypass the password.
>
> Set a cookie.
>
>
> > I know this
> > is nor perfect and there is nothing critical behind the password
protected
> > pages, but just wanted to shore it up a bit.
>
> Do it properly with .htaccess or a database.
Do you have any examples of what I need to do?


No. Do you know how to use a search engine?

I have and I pieced together this code from them.
And?
I just wanted to find a way to make it a bit better.
I told you how.

If you don't want to help
I did help.
and want to get critical with me, don't reply to my post.
Don't top-post.

I spent 3 hours researching ways
to do this (I very little JavaScript experience) and was pretty proud of
myself for being able to combine the coding I found to make something that
seemed to work.
Good for you.
I just wanted advice and assistance to improve it to make
it more functional.


I gave you good advice. Take it.

--
Hywel

http://sponsorhywel.org.uk/
Jul 23 '05 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: entoone | last post by:
Anyone have a good script to provide users with the opportunity to have their password changed, and then the new one emailed to them?
11
by: John Wellesz | last post by:
If you are coding php using GVIM, you will appreciate this new indent script: Download there: http://www.vim.org/scripts/download_script.php?src_id=3710 or here: ...
10
by: Max | last post by:
Hello all, I am trying to protect a page within my site with a JS password scheme. Now I know JS can be quite easily "circumvented", but I came by a code below. My question is: 1. Is there...
7
by: Mike | last post by:
I've been trying for the past week to put a simple code together. I have done a LOT of searching, found scripts showing the functions I would like to use, however when I mix them it all goes wrong,...
5
by: Guadala Harry | last post by:
What are my options for *securely* storing/retrieving the ID and password used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and...
8
by: rhumphri | last post by:
I need a javascript that will accept the username "frederic" and the password "ozanam" on my page "member,html" that will allow those who input this data to access my page "member2.html". I had...
1
by: Andrew Murray | last post by:
I'm a novice at coding and cannot get the script below to work I'm receiving an Error 500 in the web browser when trying to run this script. The site is www.murraywebs.com and the link is...
12
by: Phillip B Oldham | last post by:
I'm keen on learning python, with a heavy lean on doing things the "pythonic" way, so threw the following script together in a few hours as a first-attempt in programming python. I'd like the...
3
by: bollweevil | last post by:
Hello Everyone, I do Django web development on my Mac at home, and then I rsync the files with the Ubuntu web server. I want to write one single bash shell script that rsyncs the files and...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
0
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
0
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.