Need Help With Password Protecting Site

[kanin247]

To Whom It May Concern:

In the creation of my webpage, I created a section that requires a password. I used the following code:

function access()
{
var password = prompt("Please enter your password."
if(password == "1J2A0Y5&quot
{window.location = "pwfiles.htm";}
else
{window.location = "error.htm";}
}

However, I need a way to hide this section of code that contains the password information since anyone can just view my source and take it. So, if anyone could suggest how I should do this, I would appreciate it. Or if you have a better or more secure method please let me know. Thanks!

kanin

 

[AdamBrill]

You pretty much have one of two choices. You can either make an .htaccess file, or you can make the password part in PHP or some other server-side language. If you don't do that, anyone can get your password pretty easily. I would suggest just making it in PHP. If you need some help with that, let me know...

 

[theEclipse]

If you are seeking to hide the code, you cannot completly hide it. You can put your code in a linked .js file, thus removing the code from the front page, but any joe who cares can view source on the page and find out what your password is. Robert Carpenter
questions? comments? thanks? email me!
linkemapx@hotmail.com
Icq: 124408594

AIM & MSN: robacarp

 

[crowell]

You could use a form field instead of a prompt on the first page that submits to an asp page. Then on the asp you submit to put something like this:
<%@ LANGUAGE = JavaScript%>
<html>
<head>
<meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=windows-1252&quot;>
<title>Login Verify</title>
</head>
<body>
<%
if (Request.Form(&quot;nameofformfield&quot != &quot;1J2A0Y5&quot
{
Response.Cookies(&quot;MyCookieName&quot = &quot;No&quot;;
Response.Redirect(&quot;error.htm&quot;
}
else
{
Response.Cookies(&quot;MyCookieName&quot = &quot;Yes&quot;;
Response.Redirect(&quot;pwfiles.htm&quot;
}
%>
</body>
</html>
Then make every protected page (like pwfiles.htm) an asp page with this at the very top.
<%@ LANGUAGE = JavaScript%>
<%
if (Request.Cookies(&quot;MyCookieName&quot != &quot;Yes&quot
{
Response.Redirect(&quot;error.htm&quot;
}
%>
<html>
Of course this is not as safe as .htaccess but if you want moderate protection, it should help.

 

[AdamBrill]

crowell-If they have cookies turned off, they can't get to any pages that have been password protected that way. Since it would not be hard to do, I think he would be better off using PHP.

 

[crowell]

Thanks AdamBrill. I agree that PHP or htaccess are definitely more secure and efficient. I have used these and other options on internet sites, and other more custom options in intranet situations.
But the simple one-password situation that kanin247 is attempting suggests a limited number of users, so they may want to keep this simple. They could just inform these users on the initial page that cookies must be enabled to access the page.
The error.html could even remind that you may receive this page if your cookies are not enabled.
I was just expanding on kanin247's options, as there are definitely more options than just htaccess or PHP.
And of course kanin247 - if someone hacking into your page is going to destroy your business you will want to look into a more secure option.

 

[kanin247]

crowell,

thanks for your input. and your assumptions are correct. i'm trying to create access for a limited amount of users and i guess you could say i would like medium security. just so that anyone in the company who accesses the intranet link will not be able to view the file. only those in my group may access.

the asp page you suggested sounds like a good solution to my problem. however, i am not familiar with it. it doesn't sound too difficult but could you maybe suggest a few links to some tutorial sites or maybe provide some code that may be of some help. i would appreciate it. thanks.

and thanks to everyone else for their input.

kanin

 

[crowell]

Actually, to make a page an asp page is simple, as you guessed.
You just have to save it with an .asp extension instead of .html.
Then put <%@ LANGUAGE = JavaScript%> on the very first line of the code.
Then any javascript code you use start with <% and end with %> will be processed server-side.
To use the example above:
Page One:
Create a regular .html page, with a form with an input field for the password, and submit the form to the asp page that checks the value of the field.
Page Two:
This would be the asp page that checks the value of the field.
All of the code that needs to be on this asp page is shown above. You just have to be sure the field name matches the name of the input field on your form. (nameofformfield). And make sure the value you are checking for is the real password. You can also name the cookie anything you would like.
Page Three, etc.:
Save all of the other protected pages with the .asp extension. At the very top of each of these pages you can use the example code above.

If this does not work, you can check the server to be sure that asp is enabled.
If you need more info, let us know.
Good luck!