Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
hide password from page source
- Thread starter luckyred
- Start date
NEVERSLEEP
Programmer
use server side code
html,css,javsscript are some of the BROWSERSIDE code
perl,php,c++,java are some of the SERVERSIDE code someone knowledge ends were
someone else knowledge starts
html,css,javsscript are some of the BROWSERSIDE code
perl,php,c++,java are some of the SERVERSIDE code someone knowledge ends were
someone else knowledge starts
NEVERSLEEP
Programmer
posibility 2:
extern your script like this
<script language="javascript" src="password.js"></script>
this will not protect your password cause the user
can download such file on a lot of servers
find a ISAPI filter coder...
here the script to show him/her
DWORD CJSISAPIFilter::OnUrlMap(CHttpFilterContext* pCtxt, PHTTP_FILTER_URL_MAP pMapInfo)
{
const char * szURL = strlwr((char *)pMapInfo->pszURL);
const char * szExtension = &szURL[lenURL - 3];
char szReferer[250];
DWORD lenURL = strlen(pMapInfo->pszURL);
DWORD dwReferer = 250;
if ( strcmp(szExtension, ".js"
== 0 ) {
pCtxt->GetServerVariable("HTTP_REFERER", szReferer, &dwReferer);
if ( szReferer[0] != 'h' ) {
char szRedirect[2];
char szContent[300];
DWORD dwRedirect = 2;
DWORD dwContent;
sprintf(szRedirect,""
sprintf(szContent, "\r\n\r\n<html>\r\n<head><title>access denied</title></head>\r\n<body>\r\n<b><font size=8>access denied</font></b>\r\n</body>\r\n</html>\r\n"
dwContent = strlen(szContent);
pCtxt->ServerSupportFunction (SF_REQ_SEND_RESPONSE_HEADER,szRedirect,&dwRedirect,NULL);
pCtxt->WriteClient (szContent, &dwContent);
return SF_STATUS_REQ_FINISHED;
}
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
then the problem will be fix
someone knowledge ends were
someone else knowledge starts
extern your script like this
<script language="javascript" src="password.js"></script>
this will not protect your password cause the user
can download such file on a lot of servers
find a ISAPI filter coder...
here the script to show him/her
DWORD CJSISAPIFilter::OnUrlMap(CHttpFilterContext* pCtxt, PHTTP_FILTER_URL_MAP pMapInfo)
{
const char * szURL = strlwr((char *)pMapInfo->pszURL);
const char * szExtension = &szURL[lenURL - 3];
char szReferer[250];
DWORD lenURL = strlen(pMapInfo->pszURL);
DWORD dwReferer = 250;
if ( strcmp(szExtension, ".js"
== 0 ) {pCtxt->GetServerVariable("HTTP_REFERER", szReferer, &dwReferer);
if ( szReferer[0] != 'h' ) {
char szRedirect[2];
char szContent[300];
DWORD dwRedirect = 2;
DWORD dwContent;
sprintf(szRedirect,""
;sprintf(szContent, "\r\n\r\n<html>\r\n<head><title>access denied</title></head>\r\n<body>\r\n<b><font size=8>access denied</font></b>\r\n</body>\r\n</html>\r\n"
;dwContent = strlen(szContent);
pCtxt->ServerSupportFunction (SF_REQ_SEND_RESPONSE_HEADER,szRedirect,&dwRedirect,NULL);
pCtxt->WriteClient (szContent, &dwContent);
return SF_STATUS_REQ_FINISHED;
}
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
then the problem will be fix
someone knowledge ends were
someone else knowledge starts
NEVERSLEEP
Programmer
ssl = $$$
code = free someone knowledge ends were
someone else knowledge starts
code = free someone knowledge ends were
someone else knowledge starts
thread216-251963 can show you why depending on JavaScript only is futile efforts that will not stop someone to access your "protected" pages.
Try server side technology such as PHP can to make a simple password check. Attempting to do this in JavaScript or any combination of source hidding code is NOT worth the effort.
Anyone in the top ten experts of this post will be able in less than a minute to access your "hidden" area.
PHP is relatively easy to learn for someone that knows javascript. Gary Haran
Try server side technology such as PHP can to make a simple password check. Attempting to do this in JavaScript or any combination of source hidding code is NOT worth the effort.
Anyone in the top ten experts of this post will be able in less than a minute to access your "hidden" area.
PHP is relatively easy to learn for someone that knows javascript. Gary Haran
cian
Technical User
- Oct 11, 2001
- 1,383
Your best bet is to get a proper "member area" script.
offers a very good FREE version, it can be a little awkward to get it set up but its a very good script IMHO.
I have a good java version which is "fairly" secure but dont use it for anything 'sensitive'. And you have to set up the users yourself, theres no registration script with it.
let me know if u want it.
I got bloody bored at the weekend:
É,
<!--#include file="profound quotation" -->
offers a very good FREE version, it can be a little awkward to get it set up but its a very good script IMHO.
I have a good java version which is "fairly" secure but dont use it for anything 'sensitive'. And you have to set up the users yourself, theres no registration script with it.
let me know if u want it.
I got bloody bored at the weekend:
É,
<!--#include file="profound quotation" -->
trollacious
Programmer
One thing I've done for quite a while, and have seen described as secure in Javascript as possible, is to run passwords and login names through a math formula, like creating a one way hash. Since those numbers can't be reverse engineered to find out the password, the only method to find the password is brute force then. Those numbers can be stored in Javascript that's visible, and even showing the algorithm. The basic formula is something like this:
function createnum(wordstring)
{
var mult = 1, checknum=0;
for (var wi=0;wi<wordstring.length;wi++)
{
var onenum = wordstring.charCodeAt(wi) * mult;
checknum += onenum;
mult *= 3;
}
return checknum;
}
function createnum(wordstring)
{
var mult = 1, checknum=0;
for (var wi=0;wi<wordstring.length;wi++)
{
var onenum = wordstring.charCodeAt(wi) * mult;
checknum += onenum;
mult *= 3;
}
return checknum;
}
trollacious,
U are right that this would be hard to break but I believe it wouldn't be impossible.
Could you provide a working example of your formula so we can all learn? Gary Haran
U are right that this would be hard to break but I believe it wouldn't be impossible.
Could you provide a working example of your formula so we can all learn? Gary Haran
trollacious
Programmer
The following is the exact script I've used to get sums of passwords. Login names can be done the same way. The sums are stored either in 2 arrays then, or in an array of objects with the login sum as one property and the password sum as the other, on the HTML page or Javascript. This array can be listed on the page without showing the password or login names. The only thing that can break this algorithm is brute force, though with some experimentation and understanding of the code, certain ranges of passwords can be ruled out. The longer the string used, the more difficult it would be to crack with brute force, too.
The same function can be used, with the string value sent as a parameter to the function, and then compared to the list of allowed numbers generated. Strings are case sensitive here, and any keyboard character.
I saw a similar algorithm on a Javascript download site (like Javascript.com, or one of the others) a couple years ago that listed it as unbreakable and rated highly, but it was limted to alphanumeric characters only. I've used a similar algorithm for a long time for validating passwords and storing login names, and in 17 bytes store login name, password, and access level information for each user.
<script language="javascript">
function doencrypt()
{
var onepass=document.password.clear.value;
var passSum=0, mult=1;
for (var pi=0;pi<onepass.length;pi++)
{
var onenumber=onepass.charCodeAt(pi);
passSum += onenumber * mult;
mult *= 3;
}
document.password.encrypted.value = passSum;
}
</script>
This function would be used to check passwords against the numbers on the list on the login page.
<script language="javascript">
//these numbers were generated from passwords from the previous function
var passarray = new Array(1234, 7465, 98674);
function checkencrypt(onestring)
{
var onepass=onestring;
var passSum=0, mult=1;
for (var pi=0;pi<onepass.length;pi++)
{
var onenumber=onepass.charCodeAt(pi);
passSum += onenumber * mult;
mult *= 3;
}
for (var pi=0;pi<passarray.length;pi++)
{
if (passSum == passarray[pi]) return true;
}
return false;
}
</script>
The same function can be used, with the string value sent as a parameter to the function, and then compared to the list of allowed numbers generated. Strings are case sensitive here, and any keyboard character.
I saw a similar algorithm on a Javascript download site (like Javascript.com, or one of the others) a couple years ago that listed it as unbreakable and rated highly, but it was limted to alphanumeric characters only. I've used a similar algorithm for a long time for validating passwords and storing login names, and in 17 bytes store login name, password, and access level information for each user.
<script language="javascript">
function doencrypt()
{
var onepass=document.password.clear.value;
var passSum=0, mult=1;
for (var pi=0;pi<onepass.length;pi++)
{
var onenumber=onepass.charCodeAt(pi);
passSum += onenumber * mult;
mult *= 3;
}
document.password.encrypted.value = passSum;
}
</script>
This function would be used to check passwords against the numbers on the list on the login page.
<script language="javascript">
//these numbers were generated from passwords from the previous function
var passarray = new Array(1234, 7465, 98674);
function checkencrypt(onestring)
{
var onepass=onestring;
var passSum=0, mult=1;
for (var pi=0;pi<onepass.length;pi++)
{
var onenumber=onepass.charCodeAt(pi);
passSum += onenumber * mult;
mult *= 3;
}
for (var pi=0;pi<passarray.length;pi++)
{
if (passSum == passarray[pi]) return true;
}
return false;
}
</script>
I like it. A lot! Gary Haran
Gary HaranI feel I should put my two-cents into this post. If you have a hosting company then 99% of time they provide some kind of server-type abilities.
Ask your hosting company what you need and they will suggest the best (and economical) solution. But everyone here is right, you need a server-side coding, like ASP, Coldfusion, CGI, etc. Any other method is dangerious and unsafe, especially when you have sensitive customer information.
I have this little thing, Advanced Delusionary Schizophrenia with Involuntary Narcissistic Rage.
It's no big deal really...
Ask your hosting company what you need and they will suggest the best (and economical) solution. But everyone here is right, you need a server-side coding, like ASP, Coldfusion, CGI, etc. Any other method is dangerious and unsafe, especially when you have sensitive customer information.
I have this little thing, Advanced Delusionary Schizophrenia with Involuntary Narcissistic Rage.
It's no big deal really...
nevermind.....this seems to be a good solution...
the hashing idea seems a decent solution check for basic login using only javascript.
The only thing is, if you are doing this client-side there's nothing stopping anyone from doing view-source and finding the 'logged in' target page (and then just going there directly).
So, IMO it's a waste of time going to all the trouble of hashing because you still can't hide the target page. (Janet24 that link also uses hashing - and hides the logged in page using a bit of confusing code. It's a decent solution, but it isn't secure.)
My basic point is:
Client-side scripting alone cannot provide secure password protection.
Posting code? Wrap it with code tags: [ignore]
[ignore][/code][/ignore].
The only thing is, if you are doing this client-side there's nothing stopping anyone from doing view-source and finding the 'logged in' target page (and then just going there directly).
So, IMO it's a waste of time going to all the trouble of hashing because you still can't hide the target page. (Janet24 that link also uses hashing - and hides the logged in page using a bit of confusing code. It's a decent solution, but it isn't secure.)
My basic point is:
Client-side scripting alone cannot provide secure password protection.
Posting code? Wrap it with code tags: [ignore]
Code:
[/ignore][code]CodeHere- Status
Similar threads