Password Script Improvements

Re: Password Script Improvements

In article <l2k1d.152913$% n4.120174@bigne ws6.bellsouth.n et>, Karl
Burrows says...[color=blue]
> Here's a simple script I have pulled from various sources and wondered if
> there was a way to improve it. First, if the type the wrong password, I
> would like to redirect them to another login page to tell them to try again.[/color]

You need to have a 404 error page that does that.

[color=blue]
> Second, I would like to figure otu a way to keep someone from just
> bookmarking pages behind the main page to bypass the password.[/color]

Set a cookie.

[color=blue]
> I know this
> is nor perfect and there is nothing critical behind the password protected
> pages, but just wanted to shore it up a bit.[/color]

Do it properly with .htaccess or a database.

--
Hywel

Re: Password Script Improvements

On Mon, 13 Sep 2004 12:39:23 -0400, Karl Burrows <kfb1@spambells outh.net>
wrote:
[color=blue]
> Here's a simple script I have pulled from various sources and wondered
> if there was a way to improve it.[/color]

[snip]

Focusing on the script approach (though the server is better)...

[snip]
[color=blue]
> function CheckEnter(even t)
> {
> var NS4 = (document.layer s) ? true : false;[/color]

....you can improve this script by removing that bit of browser detection.
For a start, it doesn't help modern Gecko browsers that do use the which
property to identify the key. Secondly, browser detection is just a bad
idea. See the FAQ (4.26).

<URL:http://jibbering.com/faq/>
[color=blue]
> var code = 0;
>
> if (NS4)
> code = event.which;
> else
> code = event.keyCode;[/color]

Use:

if('number' == typeof event.which) {
code = event.which;
} else if('number' == typeof event.keyCode) {
code = event.keyCode;
}

instead. That way, you actually check what's supported, not what you can
infer from other, unrelated characteristics .
[color=blue]
> if (code==13)
> {
> PasswordLogin() ;
> event.returnVal ue = false;[/color]

If you really want to make sure that the event is cancelled, then use
appropriate approaches, not just Microsoft's:

if(event.preven tDefault) {
event.preventDe fault();
} else if('undefined' != typeof event.returnVal ue) {
event.returnVal ue = false;
}
// Assuming that you'll pass the return code back properly
return false;
[color=blue]
> }
> }[/color]

Hope that helps,
Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply by e-mail.

Re: Password Script Improvements

Do you have any examples of what I need to do?

"Hywel" <hyweljenkins@h otmail.com> wrote in message
news:MPG.1baff4 2191ef6ef9898c3 @news.individua l.net...[color=blue]
> In article <l2k1d.152913$% n4.120174@bigne ws6.bellsouth.n et>, Karl
> Burrows says...[color=green]
> > Here's a simple script I have pulled from various sources and wondered[/color][/color]
if[color=blue][color=green]
> > there was a way to improve it. First, if the type the wrong password, I
> > would like to redirect them to another login page to tell them to try[/color][/color]
again.[color=blue]
>
> You need to have a 404 error page that does that.
>
>[color=green]
> > Second, I would like to figure otu a way to keep someone from just
> > bookmarking pages behind the main page to bypass the password.[/color]
>
> Set a cookie.
>
>[color=green]
> > I know this
> > is nor perfect and there is nothing critical behind the password[/color][/color]
protected[color=blue][color=green]
> > pages, but just wanted to shore it up a bit.[/color]
>
> Do it properly with .htaccess or a database.
>
> --
> Hywel
>
> http://sponsorhywel.org.uk/[/color]

Re: Password Script Improvements

In article <4Mr1d.154007$% n4.71508@bignew s6.bellsouth.ne t>, Karl Burrows
says...[color=blue]
> "Hywel" <hyweljenkins@h otmail.com> wrote in message
> news:MPG.1baff4 2191ef6ef9898c3 @news.individua l.net...[color=green]
> > In article <l2k1d.152913$% n4.120174@bigne ws6.bellsouth.n et>, Karl
> > Burrows says...[color=darkred]
> > > Here's a simple script I have pulled from various sources and wondered[/color][/color]
> if[color=green][color=darkred]
> > > there was a way to improve it. First, if the type the wrong password, I
> > > would like to redirect them to another login page to tell them to try[/color][/color]
> again.[color=green]
> >
> > You need to have a 404 error page that does that.
> >
> >[color=darkred]
> > > Second, I would like to figure otu a way to keep someone from just
> > > bookmarking pages behind the main page to bypass the password.[/color]
> >
> > Set a cookie.
> >
> >[color=darkred]
> > > I know this
> > > is nor perfect and there is nothing critical behind the password[/color][/color]
> protected[color=green][color=darkred]
> > > pages, but just wanted to shore it up a bit.[/color]
> >
> > Do it properly with .htaccess or a database.[/color][/color]
[color=blue]
> Do you have any examples of what I need to do?[/color]

No. Do you know how to use a search engine?

--
Hywel

Re: Password Script Improvements

I have and I pieced together this code from them. I just wanted to find a
way to make it a bit better. If you don't want to help and want to get
critical with me, don't reply to my post. I spent 3 hours researching ways
to do this (I very little JavaScript experience) and was pretty proud of
myself for being able to combine the coding I found to make something that
seemed to work. I just wanted advice and assistance to improve it to make
it more functional.

"Hywel" <hyweljenkins@h otmail.com> wrote in message
news:MPG.1bb12e 51c7dabab69898c 7@news.individu al.net...[color=blue]
> In article <4Mr1d.154007$% n4.71508@bignew s6.bellsouth.ne t>, Karl Burrows
> says...[color=green]
> > "Hywel" <hyweljenkins@h otmail.com> wrote in message
> > news:MPG.1baff4 2191ef6ef9898c3 @news.individua l.net...[color=darkred]
> > > In article <l2k1d.152913$% n4.120174@bigne ws6.bellsouth.n et>, Karl
> > > Burrows says...
> > > > Here's a simple script I have pulled from various sources and[/color][/color][/color]
wondered[color=blue][color=green]
> > if[color=darkred]
> > > > there was a way to improve it. First, if the type the wrong[/color][/color][/color]
password, I[color=blue][color=green][color=darkred]
> > > > would like to redirect them to another login page to tell them to[/color][/color][/color]
try[color=blue][color=green]
> > again.[color=darkred]
> > >
> > > You need to have a 404 error page that does that.
> > >
> > >
> > > > Second, I would like to figure otu a way to keep someone from just
> > > > bookmarking pages behind the main page to bypass the password.
> > >
> > > Set a cookie.
> > >
> > >
> > > > I know this
> > > > is nor perfect and there is nothing critical behind the password[/color]
> > protected[color=darkred]
> > > > pages, but just wanted to shore it up a bit.
> > >
> > > Do it properly with .htaccess or a database.[/color][/color]
>[color=green]
> > Do you have any examples of what I need to do?[/color]
>
> No. Do you know how to use a search engine?
>
> --
> Hywel
>
> http://sponsorhywel.org.uk/[/color]

Re: Password Script Improvements

In article <mYM1d.145196$_ h.55576@bignews 3.bellsouth.net >,
"Karl Burrows" <kfb1@spambells outh.net> wrote:
[color=blue]
> I have and I pieced together this code from them.[/color]

This is good.
[color=blue]
> I just wanted to find a
> way to make it a bit better. If you don't want to help and want to get
> critical with me, don't reply to my post.[/color]

Then do not post here. People are replying for free. Hire a consultant
if you need affirmation of your ideas.


I am curious why you cannot use the password saving methods in Netscape
7.2? Doesn't IE have a password saving method too? I didn't
understand why this wouldn't work.

Robert

Re: Password Script Improvements

Robert, it is just frustrating to ask for some direction and have someone
tell me to do a Google search. I help out in many newsgroups including
Outlook, XP, Excel, etc. I can't do it all and rely on your help as much as
others rely on mine. I don't expect anyone to do it for me, but sharing
resources and tips and tricks is the way to learn.

"Robert" <rccharles@my-deja.com> wrote in message
news:rccharles-85D2ED.23255614 092004@news1.we st.earthlink.ne t...[color=blue]
> In article <mYM1d.145196$_ h.55576@bignews 3.bellsouth.net >,
> "Karl Burrows" <kfb1@spambells outh.net> wrote:
>[color=green]
> > I have and I pieced together this code from them.[/color]
>
> This is good.
>[color=green]
> > I just wanted to find a
> > way to make it a bit better. If you don't want to help and want to get
> > critical with me, don't reply to my post.[/color]
>
> Then do not post here. People are replying for free. Hire a consultant
> if you need affirmation of your ideas.
>
>
> I am curious why you cannot use the password saving methods in Netscape
> 7.2? Doesn't IE have a password saving method too? I didn't
> understand why this wouldn't work.
>
> Robert[/color]

Re: Password Script Improvements

Thank you for your help!!!

"Michael Winter" <M.Winter@bluey onder.co.invali d> wrote in message
news:opseagv1gs x13kvk@atlantis ...[color=blue]
> On Mon, 13 Sep 2004 12:39:23 -0400, Karl Burrows <kfb1@spambells outh.net>
> wrote:
>[color=green]
> > Here's a simple script I have pulled from various sources and wondered
> > if there was a way to improve it.[/color]
>
> [snip]
>
> Focusing on the script approach (though the server is better)...
>
> [snip]
>[color=green]
> > function CheckEnter(even t)
> > {
> > var NS4 = (document.layer s) ? true : false;[/color]
>
> ...you can improve this script by removing that bit of browser detection.
> For a start, it doesn't help modern Gecko browsers that do use the which
> property to identify the key. Secondly, browser detection is just a bad
> idea. See the FAQ (4.26).
>
> <URL:http://jibbering.com/faq/>
>[color=green]
> > var code = 0;
> >
> > if (NS4)
> > code = event.which;
> > else
> > code = event.keyCode;[/color]
>
> Use:
>
> if('number' == typeof event.which) {
> code = event.which;
> } else if('number' == typeof event.keyCode) {
> code = event.keyCode;
> }
>
> instead. That way, you actually check what's supported, not what you can
> infer from other, unrelated characteristics .
>[color=green]
> > if (code==13)
> > {
> > PasswordLogin() ;
> > event.returnVal ue = false;[/color]
>
> If you really want to make sure that the event is cancelled, then use
> appropriate approaches, not just Microsoft's:
>
> if(event.preven tDefault) {
> event.preventDe fault();
> } else if('undefined' != typeof event.returnVal ue) {
> event.returnVal ue = false;
> }
> // Assuming that you'll pass the return code back properly
> return false;
>[color=green]
> > }
> > }[/color]
>
> Hope that helps,
> Mike
>
> --
> Michael Winter
> Replace ".invalid" with ".uk" to reply by e-mail.[/color]

Re: Password Script Improvements

Karl Burrows wrote:
[color=blue]
> Here's a simple script I have pulled from various sources and wondered if
> there was a way to improve it. First, if the type the wrong password, I
> would like to redirect them to another login page to tell them to try again.
> Second, I would like to figure otu a way to keep someone from just
> bookmarking pages behind the main page to bypass the password. I know this
> is nor perfect and there is nothing critical behind the password protected
> pages, but just wanted to shore it up a bit.
>
> Thanks!
>
> function PasswordLogin()
> {
> document.locati on.href = document.formlo gin.password.va lue + ".htm";
> return false;
> }
>
> function CheckEnter(even t)
> {
> var NS4 = (document.layer s) ? true : false;
> var code = 0;
>
> if (NS4)
> code = event.which;
> else
> code = event.keyCode;
> if (code==13)
> {
> PasswordLogin() ;
> event.returnVal ue = false;
> }
> }[/color]

Using document.layers to determine that the browser is Netscape 4 and then using
that information to determine whether to use event.which or event.keyCode is
what is called "browser detection" and although it is probably a safe choice in
this case, it's best to use "feature detection". That is, test for the feature
you want before using it, rather than basing your decision on some arbitrary
object or property you think is only available in a particular browser. In your
case, this would make your code:

<script type="text/javascript">
function checkEnter(e) {
var key;
if (e && e.which) {
key = e.which;
} else if (event.keyCode) {
key = event.keyCode;
}
if (key == 13) {
// alert(document. forms['formlogin'].elements['pwInput'].value);
window.location .href = document.forms['formlogin'].elements['pwInput'].value +
".htm";
}
return true;
}
</script>
<form name="formlogin ">
<input type="password" name="pwInput" value="" onkeydown="retu rn
checkEnter(even t);">
</form>

There's no reason to create PasswordLogin() . There's no reason to set
event.returnVal ue, since if key == 13, you are navigated off the page, no
JavaScript should execute after you set window.location .href. Note also that
it's window.location .href. document.locati on works, but it is deprecated.

There is no way of preventing someone from bookmarking the target page and
simply returning to it later, bypassing your elaborate security system. You
could attempt to test document.referr er in the "secured" page and if it's not
your security form, redirect back to your security form. But disabling
JavaScript would resolve that problem fairly quickly. Not to mention, if they
have the "secured" page bookmarked, it would just be a matter of typing in the
filename they already know.

As many have said, the only way to secure something is on the server. If you run
apache, you can do this with .htaccess:

<FilesMatch ".+">
# meet any condition for any file
Satisfy Any

Order Deny,Allow
# Deny everybody
Deny from All
# Allow local LAN users without auth - can be omitted
Allow from 192.168

# file to obtain user data from, may be different on your system
AuthUserFile /usr/local/www/data/.htpasswd
AuthGroupFile /dev/null
AuthName "Informatio n you want on the browser auth dialog"
AuthType Basic

Require valid-user
</FilesMatch>
# ran into a problem... allow from 192.168 was showing .ht* files
# this FilesMatch directive prevents that; there is a FilesMatch
# directive in httpd.conf, but the allow from 192.168 above seems to
# override it or something
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

(just noticed I can probably trim that down to a single <FilesMatch> directive:
<FilesMatch "^[^\.ht]">, but since I haven't tested this I'd stick with what
I've got above, which I know works)

and .htpasswd:

# to create the first one
htpasswd -c /usr/local/www/data/.htpasswd myusername mypassword
# to add more
htpasswd -b /usr/local/www/data/.htpasswd someoneelse theirpassword

Documentation for doing authentication in Apache is available at <url:
http://httpd.apache.org/docs/howto/auth.html />

--
Grant Wagner <gwagner@agrico reunited.com>
comp.lang.javas cript FAQ - http://jibbering.com/faq

Re: Password Script Improvements

In article <mYM1d.145196$_ h.55576@bignews 3.bellsouth.net >, Karl Burrows
says...[color=blue]
> "Hywel" <hyweljenkins@h otmail.com> wrote in message
> news:MPG.1bb12e 51c7dabab69898c 7@news.individu al.net...[color=green]
> > In article <4Mr1d.154007$% n4.71508@bignew s6.bellsouth.ne t>, Karl Burrows
> > says...[color=darkred]
> > > "Hywel" <hyweljenkins@h otmail.com> wrote in message
> > > news:MPG.1baff4 2191ef6ef9898c3 @news.individua l.net...
> > > > In article <l2k1d.152913$% n4.120174@bigne ws6.bellsouth.n et>, Karl
> > > > Burrows says...
> > > > > Here's a simple script I have pulled from various sources and[/color][/color]
> wondered[color=green][color=darkred]
> > > if
> > > > > there was a way to improve it. First, if the type the wrong[/color][/color]
> password, I[color=green][color=darkred]
> > > > > would like to redirect them to another login page to tell them to[/color][/color]
> try[color=green][color=darkred]
> > > again.
> > > >
> > > > You need to have a 404 error page that does that.
> > > >
> > > >
> > > > > Second, I would like to figure otu a way to keep someone from just
> > > > > bookmarking pages behind the main page to bypass the password.
> > > >
> > > > Set a cookie.
> > > >
> > > >
> > > > > I know this
> > > > > is nor perfect and there is nothing critical behind the password
> > > protected
> > > > > pages, but just wanted to shore it up a bit.
> > > >
> > > > Do it properly with .htaccess or a database.[/color]
> >[color=darkred]
> > > Do you have any examples of what I need to do?[/color]
> >
> > No. Do you know how to use a search engine?[/color][/color]
[color=blue]
> I have and I pieced together this code from them.[/color]

And?
[color=blue]
> I just wanted to find a way to make it a bit better.[/color]

I told you how.

[color=blue]
> If you don't want to help[/color]

I did help.
[color=blue]
> and want to get critical with me, don't reply to my post.[/color]

Don't top-post.

[color=blue]
> I spent 3 hours researching ways
> to do this (I very little JavaScript experience) and was pretty proud of
> myself for being able to combine the coding I found to make something that
> seemed to work.[/color]

Good for you.
[color=blue]
> I just wanted advice and assistance to improve it to make
> it more functional.[/color]

I gave you good advice. Take it.

--
Hywel