By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,564 Members | 1,070 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,564 IT Pros & Developers. It's quick & easy.

Password Script Improvements

P: n/a
Here's a simple script I have pulled from various sources and wondered if
there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.
Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password. I know this
is nor perfect and there is nothing critical behind the password protected
pages, but just wanted to shore it up a bit.

Thanks!

function PasswordLogin()
{
document.location.href = document.formlogin.password.value + ".htm";
return false;
}

function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;
if (code==13)
{
PasswordLogin();
event.returnValue = false;
}
}
Jul 23 '05 #1
Share this Question
Share on Google+
10 Replies


P: n/a
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
Here's a simple script I have pulled from various sources and wondered if
there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.
You need to have a 404 error page that does that.

Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password.
Set a cookie.

I know this
is nor perfect and there is nothing critical behind the password protected
pages, but just wanted to shore it up a bit.


Do it properly with .htaccess or a database.

--
Hywel

http://sponsorhywel.org.uk/
Jul 23 '05 #2

P: n/a
On Mon, 13 Sep 2004 12:39:23 -0400, Karl Burrows <kf**@spambellsouth.net>
wrote:
Here's a simple script I have pulled from various sources and wondered
if there was a way to improve it.
[snip]

Focusing on the script approach (though the server is better)...

[snip]
function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;
....you can improve this script by removing that bit of browser detection.
For a start, it doesn't help modern Gecko browsers that do use the which
property to identify the key. Secondly, browser detection is just a bad
idea. See the FAQ (4.26).

<URL:http://jibbering.com/faq/>
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;
Use:

if('number' == typeof event.which) {
code = event.which;
} else if('number' == typeof event.keyCode) {
code = event.keyCode;
}

instead. That way, you actually check what's supported, not what you can
infer from other, unrelated characteristics.
if (code==13)
{
PasswordLogin();
event.returnValue = false;
If you really want to make sure that the event is cancelled, then use
appropriate approaches, not just Microsoft's:

if(event.preventDefault) {
event.preventDefault();
} else if('undefined' != typeof event.returnValue) {
event.returnValue = false;
}
// Assuming that you'll pass the return code back properly
return false;
}
}


Hope that helps,
Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply by e-mail.
Jul 23 '05 #3

P: n/a
Do you have any examples of what I need to do?

"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
Here's a simple script I have pulled from various sources and wondered if there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.

You need to have a 404 error page that does that.

Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password.


Set a cookie.

I know this
is nor perfect and there is nothing critical behind the password

protected pages, but just wanted to shore it up a bit.


Do it properly with .htaccess or a database.

--
Hywel

http://sponsorhywel.org.uk/

Jul 23 '05 #4

P: n/a
In article <4M********************@bignews6.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
Here's a simple script I have pulled from various sources and wondered if there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.

You need to have a 404 error page that does that.

Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password.
Set a cookie.

I know this
is nor perfect and there is nothing critical behind the password

protected pages, but just wanted to shore it up a bit.


Do it properly with .htaccess or a database.

Do you have any examples of what I need to do?


No. Do you know how to use a search engine?

--
Hywel

http://sponsorhywel.org.uk/
Jul 23 '05 #5

P: n/a
I have and I pieced together this code from them. I just wanted to find a
way to make it a bit better. If you don't want to help and want to get
critical with me, don't reply to my post. I spent 3 hours researching ways
to do this (I very little JavaScript experience) and was pretty proud of
myself for being able to combine the coding I found to make something that
seemed to work. I just wanted advice and assistance to improve it to make
it more functional.

"Hywel" <hy**********@hotmail.com> wrote in message
news:MP************************@news.individual.ne t...
In article <4M********************@bignews6.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
In article <l2*********************@bignews6.bellsouth.net> , Karl
Burrows says...
> Here's a simple script I have pulled from various sources and wondered
if
> there was a way to improve it. First, if the type the wrong
password, I > would like to redirect them to another login page to tell them to

try again.

You need to have a 404 error page that does that.
> Second, I would like to figure otu a way to keep someone from just
> bookmarking pages behind the main page to bypass the password.

Set a cookie.
> I know this
> is nor perfect and there is nothing critical behind the password

protected
> pages, but just wanted to shore it up a bit.

Do it properly with .htaccess or a database.

Do you have any examples of what I need to do?


No. Do you know how to use a search engine?

--
Hywel

http://sponsorhywel.org.uk/

Jul 23 '05 #6

P: n/a
In article <mY*******************@bignews3.bellsouth.net>,
"Karl Burrows" <kf**@spambellsouth.net> wrote:
I have and I pieced together this code from them.
This is good.
I just wanted to find a
way to make it a bit better. If you don't want to help and want to get
critical with me, don't reply to my post.


Then do not post here. People are replying for free. Hire a consultant
if you need affirmation of your ideas.
I am curious why you cannot use the password saving methods in Netscape
7.2? Doesn't IE have a password saving method too? I didn't
understand why this wouldn't work.

Robert
Jul 23 '05 #7

P: n/a
Robert, it is just frustrating to ask for some direction and have someone
tell me to do a Google search. I help out in many newsgroups including
Outlook, XP, Excel, etc. I can't do it all and rely on your help as much as
others rely on mine. I don't expect anyone to do it for me, but sharing
resources and tips and tricks is the way to learn.

"Robert" <rc*******@my-deja.com> wrote in message
news:rc*****************************@news1.west.ea rthlink.net...
In article <mY*******************@bignews3.bellsouth.net>,
"Karl Burrows" <kf**@spambellsouth.net> wrote:
I have and I pieced together this code from them.


This is good.
I just wanted to find a
way to make it a bit better. If you don't want to help and want to get
critical with me, don't reply to my post.


Then do not post here. People are replying for free. Hire a consultant
if you need affirmation of your ideas.
I am curious why you cannot use the password saving methods in Netscape
7.2? Doesn't IE have a password saving method too? I didn't
understand why this wouldn't work.

Robert

Jul 23 '05 #8

P: n/a
Thank you for your help!!!

"Michael Winter" <M.******@blueyonder.co.invalid> wrote in message
news:opseagv1gsx13kvk@atlantis...
On Mon, 13 Sep 2004 12:39:23 -0400, Karl Burrows <kf**@spambellsouth.net>
wrote:
Here's a simple script I have pulled from various sources and wondered
if there was a way to improve it.


[snip]

Focusing on the script approach (though the server is better)...

[snip]
function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;


...you can improve this script by removing that bit of browser detection.
For a start, it doesn't help modern Gecko browsers that do use the which
property to identify the key. Secondly, browser detection is just a bad
idea. See the FAQ (4.26).

<URL:http://jibbering.com/faq/>
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;


Use:

if('number' == typeof event.which) {
code = event.which;
} else if('number' == typeof event.keyCode) {
code = event.keyCode;
}

instead. That way, you actually check what's supported, not what you can
infer from other, unrelated characteristics.
if (code==13)
{
PasswordLogin();
event.returnValue = false;


If you really want to make sure that the event is cancelled, then use
appropriate approaches, not just Microsoft's:

if(event.preventDefault) {
event.preventDefault();
} else if('undefined' != typeof event.returnValue) {
event.returnValue = false;
}
// Assuming that you'll pass the return code back properly
return false;
}
}


Hope that helps,
Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply by e-mail.

Jul 23 '05 #9

P: n/a
Karl Burrows wrote:
Here's a simple script I have pulled from various sources and wondered if
there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page to tell them to try again.
Second, I would like to figure otu a way to keep someone from just
bookmarking pages behind the main page to bypass the password. I know this
is nor perfect and there is nothing critical behind the password protected
pages, but just wanted to shore it up a bit.

Thanks!

function PasswordLogin()
{
document.location.href = document.formlogin.password.value + ".htm";
return false;
}

function CheckEnter(event)
{
var NS4 = (document.layers) ? true : false;
var code = 0;

if (NS4)
code = event.which;
else
code = event.keyCode;
if (code==13)
{
PasswordLogin();
event.returnValue = false;
}
}


Using document.layers to determine that the browser is Netscape 4 and then using
that information to determine whether to use event.which or event.keyCode is
what is called "browser detection" and although it is probably a safe choice in
this case, it's best to use "feature detection". That is, test for the feature
you want before using it, rather than basing your decision on some arbitrary
object or property you think is only available in a particular browser. In your
case, this would make your code:

<script type="text/javascript">
function checkEnter(e) {
var key;
if (e && e.which) {
key = e.which;
} else if (event.keyCode) {
key = event.keyCode;
}
if (key == 13) {
// alert(document.forms['formlogin'].elements['pwInput'].value);
window.location.href = document.forms['formlogin'].elements['pwInput'].value +
".htm";
}
return true;
}
</script>
<form name="formlogin">
<input type="password" name="pwInput" value="" onkeydown="return
checkEnter(event);">
</form>

There's no reason to create PasswordLogin(). There's no reason to set
event.returnValue, since if key == 13, you are navigated off the page, no
JavaScript should execute after you set window.location.href. Note also that
it's window.location.href. document.location works, but it is deprecated.

There is no way of preventing someone from bookmarking the target page and
simply returning to it later, bypassing your elaborate security system. You
could attempt to test document.referrer in the "secured" page and if it's not
your security form, redirect back to your security form. But disabling
JavaScript would resolve that problem fairly quickly. Not to mention, if they
have the "secured" page bookmarked, it would just be a matter of typing in the
filename they already know.

As many have said, the only way to secure something is on the server. If you run
apache, you can do this with .htaccess:

<FilesMatch ".+">
# meet any condition for any file
Satisfy Any

Order Deny,Allow
# Deny everybody
Deny from All
# Allow local LAN users without auth - can be omitted
Allow from 192.168

# file to obtain user data from, may be different on your system
AuthUserFile /usr/local/www/data/.htpasswd
AuthGroupFile /dev/null
AuthName "Information you want on the browser auth dialog"
AuthType Basic

Require valid-user
</FilesMatch>
# ran into a problem... allow from 192.168 was showing .ht* files
# this FilesMatch directive prevents that; there is a FilesMatch
# directive in httpd.conf, but the allow from 192.168 above seems to
# override it or something
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

(just noticed I can probably trim that down to a single <FilesMatch> directive:
<FilesMatch "^[^\.ht]">, but since I haven't tested this I'd stick with what
I've got above, which I know works)

and .htpasswd:

# to create the first one
htpasswd -c /usr/local/www/data/.htpasswd myusername mypassword
# to add more
htpasswd -b /usr/local/www/data/.htpasswd someoneelse theirpassword

Documentation for doing authentication in Apache is available at <url:
http://httpd.apache.org/docs/howto/auth.html />

--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq

Jul 23 '05 #10

P: n/a
In article <mY*******************@bignews3.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP************************@news.individual.ne t...
In article <4M********************@bignews6.bellsouth.net>, Karl Burrows
says...
"Hywel" <hy**********@hotmail.com> wrote in message
news:MP***********************@news.individual.net ...
> In article <l2*********************@bignews6.bellsouth.net> , Karl
> Burrows says...
> > Here's a simple script I have pulled from various sources and wondered if
> > there was a way to improve it. First, if the type the wrong password, I > > would like to redirect them to another login page to tell them to try again.
>
> You need to have a 404 error page that does that.
>
>
> > Second, I would like to figure otu a way to keep someone from just
> > bookmarking pages behind the main page to bypass the password.
>
> Set a cookie.
>
>
> > I know this
> > is nor perfect and there is nothing critical behind the password
protected
> > pages, but just wanted to shore it up a bit.
>
> Do it properly with .htaccess or a database.
Do you have any examples of what I need to do?


No. Do you know how to use a search engine?

I have and I pieced together this code from them.
And?
I just wanted to find a way to make it a bit better.
I told you how.

If you don't want to help
I did help.
and want to get critical with me, don't reply to my post.
Don't top-post.

I spent 3 hours researching ways
to do this (I very little JavaScript experience) and was pretty proud of
myself for being able to combine the coding I found to make something that
seemed to work.
Good for you.
I just wanted advice and assistance to improve it to make
it more functional.


I gave you good advice. Take it.

--
Hywel

http://sponsorhywel.org.uk/
Jul 23 '05 #11

This discussion thread is closed

Replies have been disabled for this discussion.