JS call from CSS - ? 2

[Wulfgen]

I've seen this done before but I'm not sure about the code - where one places the call to a js file in the css file, that way the casual observer can't see the code (its not a foolproof thing but it helps a little)

I can't remeber how it's done - anyone out there know how?

 

[kaht]

a few weeks ago I saw a site where the external javascript was called via a ( @import intruction in a css file )

In all honesty, if this was possible it shouldn't be that hard to find an example on google. Given that you can't, you probably didn't see what you think you saw.

Additionally, most of the high MVPs in this forum have flat out told you that it's either:
1. not possible
-or-
2. not widely supported

Both reason 1 and 2 are good enough reasons to stop pursuing this idea. Besides, as you've said yourself it's not gonna stop anybody that's determined. If you have a password script that you want to protect, put it server side. Why is that so hard to understand?

If you are lucky enough to relocate the script that you supposedly "saw" feel free to post a link here and prove us all wrong. However, my gut feeling tells me that we won't see a link any time soon.

-kaht

...looks like you don't have a job, so why don't you get out there and feed Tina.

 

[Wulfgen]

You're most definately right and so too are the MVP's - I'm just trying to appease a difficult client as I also mentioned before - I'll just have to be a little more strident in my next meeting - oh well :-(

 

[trollacious]

For the client-side password script, if you create a one-way hash value of the password and store that on the page, it doesn't matter WHO sees the number. You can store the function that creates the hash value, too, and it can't be reverse engineered, only cracked by brute force. One example of that is MD5 encryption. Another simple one that works pretty securely is:

function createhash(onestring)
{
var hashed = '', mult = 1;
for (var oi = 0;oi < onestring.length;oi++)
  {
  var onechar = onestring.charCodeAt(oi);
  hashed += onechar * mult;
  mult *= 3;
  }
return hashed;
}

If you use the encryption first to get the value of the password(s) allowed, then you can store the number(s) on the page (or external JS file) along with the algorithm. Processing the input password through the function will return a value you can compare to the number(s) created from valid passwords.

Of course, this isn't as secure as server-side password processing, but it's about as secure as you can get on the client side.

Lee

 

[Wulfgen]

Oh my... how on earth do I implement this? How does one access this from an onClick event from the page? Obviously this script be an external one accessable via the click (dont know that syntax) and the passwords themselves?

aargh! you're making me have to actually think (lol) and when I think, my head hurts - ouch!

 

[trollacious]

However you planned to validate passwords, you validate the numbers created the same way rather than the actual passwords themselves. This can be an external Javascript file, but doesn't need to be. You'd have to first generate the numbers to put in the file yourself using the same function, of course.

If the site has to be secure enough that someone visiting can't see the numbers, then you HAVE to use server side scripting, and using an external JS file is false security. I've used this client-side method a few times (and it's somewhere on this site under my name from a few years ago) for minimum security for a website, but being able to get at the numbers still is a security flaw because someone can use a brute force method to find a match.

Lee

 

[Wulfgen]

OK I get it - this really needs to be done server-side and I dont think they are willing to go to the expense, ... thats why they sent me to the GateKeeper first. I'll tell 'em.

 

[ChrisHunt]

Wow, Lee, that's clever. Well worth a star.

However, you're still not out of the woods, since the Javascript is gonna have to say: if password matches, do something. It seems to me you could look at the code, see what was protected by the password, and then see/do the protected thing anyway. It's also a very involved way of doing something that's quite trivial server-side.

... I dont think they are willing to go to the expense

What expense is that? Shop around - the cost of hosting is vanishingly small these days, and any paid hosting scheme worth its salt should let you use .htaccess and/or some simple server-side scripting.


-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[trollacious]

I just set up an ASP account at GoDaddy (whatever you think of them) that cost less than $3 a month for 2 years, along with a 3-year domain name registration. The whole shebang cost $87, 3-year registration and 2 years of hosting. How cheap ARE your clients?

Lee

 

[Wulfgen]

Again, somewhere along the way in the translation, everyone got lost. The client doesnt want to pay for the scripting (time to code/time to test, etc,etc) They just wanted a slam-dunk, so they found the Gatekeeper and I figured I could just hide some of the basic script, Nothing to do with hosting.

 

[ChrisHunt]

It'll take less time to set up than you've spent posting to this forum. Start by Googling for .htaccess . There are loads of free, ready-made solutions out there that work. No need to waste time looking for some half-remembered javascript thing that won't.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[Wulfgen]

Yes Chris, correct, I've given up the idea.. and I'm going to suggest at the next meeting to either cough up the $ or not do it. Simple.

 

[kaht]

and I'm going to suggest at the next meeting to either cough up the $ or not do it. Simple.

Now you're on the right track.

-kaht

...looks like you don't have a job, so why don't you get out there and feed Tina.

 

[Wulfgen]

You know guys - many of you have responded to many questions of mine and (obviously) others ffom other people - I've been on this Tek-Tips forum for awhile now and I wish there was some way to globally thank many of you at the same time, rather than one star at a time - makes me feel like a teacher giving out gold stars singularly, when in reality, you ALL deserve some!!!

 

[kaht]

I'm by no means trying to be a star-monger, but there is no restriction on TT to giving out more than 1 star per thread. The only restrictions that are imposed on star-giving are:

1. you can't give yourself a star
2. you can't give the same person more than one star in a single thread

-kaht

...looks like you don't have a job, so why don't you get out there and feed Tina.

 

[Wulfgen]

Oye, I'm aware of the restrictions etc - didnt I say I had been here for awhile...

I was just saying .... Thanks to ALL and it's too bad it cant be done -enmassé

 

[ChrisHunt]

The best way to thank the community is to answer questions as well as to ask them (not to say that you aren't already doing this Wulfgen). It's also the way to get the most out of being here. I've learnt far more answering questions than I ever could from asking them.

And your customers shouldn't need to cough up any $, unless you particularly want them to. Password protection is a common requirement, it's been done countless times already and there are piles of off-the-shelf solutions out there that you can pick up and plug in to your (clients') site quicker than you can say "Google". There's a tip in there somewhere about where to look ;-)

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[Wulfgen]

OK