Topic awaiting preservation: JavaScript Immediate Redirect... (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=27159" title="Pages that link to Topic awaiting preservation: JavaScript Immediate Redirect... (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: JavaScript Immediate Redirect... <span class="small">(Page 1 of 1)</span>\$

ausar72 Neurotic (0) Inmate Newly admitted From: Insane since: Dec 2005	posted 12-16-2005 16:24 Here's my file set up: I have a password-protected page (using a chunk of JavaScript code contained in an external .js file.) I created a login page that takes the username and password and sends it through a verification process that sets a variable to either 1 or 0 in a cookie. I put an onLoad function call in the <body> tag on the password-protected page but... My problem is that the page that I'm protecting has a lot of images and if you access the page without going to the login page first, the page will sit there and load the images first before the script is run in the external file. My question is... Is there any other location or method that I can use to get the page to not show any contact, before the user is bounced out to the login page? Thanks in advance!
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-16-2005 18:03 this is so insecure on so many levels a) Anybody can download the 'external' js file and see it's code. b) anybody can send any cookie they want - with either 0 or 1 in it. c) you should never bounce out. I can simply disable javascript and get the page. You redirect in - to at least an unknow url to an attacker. Solution: Either use a .htaccess AuthBasic protection. Or at least use something server sided. Don't rely on anything that comes from a webclient. so long, ->Tyberius Prime
ausar72 Obsessive-Compulsive (I) Inmate From: Insane since: Dec 2005	posted 12-16-2005 19:49 Yeah, I know it's unprotected, and very easy to get to the password. I was posting this for someone who needed something quick for a site thae he maintains. All that's behind th login are christmas party photos. Thanks for the imnput on thise other technologies though. I think i'm gonna tell him to look into that htaccess technology you mentioned.
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 12-16-2005 22:56 for fast an dirty yet secure password protection .htaccess is the way to go. Two quick files dropped in the directory and you're good to go. .:[ Never resist a perfect moment ]:.
TwoD Bipolar (III) Inmate From: Sweden Insane since: Aug 2004	posted 12-17-2005 23:25 I think the most safe way to password protect something using JS is to simply use the password and username as the filename on the page you want to protect. Then simply wrap the name and pass with a prefix (folders etc) and the ".htm" suffix and change the url to that name. If the pass is wrong, no file is found. Of course you need to have an index.htm file in that folder or it will be easy to open the file by simply browsing the folder. Of course, this asumes nobody's looking over your shoulder while you're "logged in" or they'll see the "hidden" filename in the address bar..... :P /TwoD

Topic awaiting preservation: JavaScript Immediate Redirect... (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=27159" title="Pages that link to Topic awaiting preservation: JavaScript Immediate Redirect... (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: JavaScript Immediate Redirect... <span class="small">(Page 1 of 1)</span>\$

ausar72
Neurotic (0) Inmate
Newly admitted

From:
Insane since: Dec 2005

posted 12-16-2005 16:24

Here's my file set up:

I have a password-protected page (using a chunk of JavaScript code contained in an external .js file.)

I created a login page that takes the username and password and sends it through a verification process that sets a variable to either 1 or 0 in a cookie.

I put an onLoad function call in the <body> tag on the password-protected page but...

My problem is that the page that I'm protecting has a lot of images and if you access the page without going to the login page first, the page will sit there and load the images first before the script is run in the external file.

My question is...

Is there any other location or method that I can use to get the page to not show any contact, before the user is bounced out to the login page?

Thanks in advance!

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-16-2005 18:03

this is so insecure on so many levels

a) Anybody can download the 'external' js file and see it's code.
b) anybody can send any cookie they want - with either 0 or 1 in it.
c) you should never bounce out. I can simply disable javascript and get the page. You redirect in - to at least an unknow url to an attacker.

Solution: Either use a .htaccess AuthBasic protection.
Or at least use something server sided. Don't rely on anything that comes from a webclient.

so long,

->Tyberius Prime

ausar72
Obsessive-Compulsive (I) Inmate

From:
Insane since: Dec 2005

posted 12-16-2005 19:49

Yeah,

I know it's unprotected, and very easy to get to the password. I was posting this for someone who needed something quick for a site thae he maintains. All that's behind th login are christmas party photos.

Thanks for the imnput on thise other technologies though.

I think i'm gonna tell him to look into that htaccess technology you mentioned.

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 12-16-2005 22:56

for fast an dirty yet secure password protection .htaccess is the way to go.

Two quick files dropped in the directory and you're good to go.

.:[ Never resist a perfect moment ]:.

TwoD
Bipolar (III) Inmate

From: Sweden
Insane since: Aug 2004

posted 12-17-2005 23:25

I think the most safe way to password protect something using JS is to simply use the password and username as the filename on the page you want to protect.
Then simply wrap the name and pass with a prefix (folders etc) and the ".htm" suffix and change the url to that name.
If the pass is wrong, no file is found. Of course you need to have an index.htm file in that folder or it will be easy to open the file by simply browsing the folder.

Of course, this asumes nobody's looking over your shoulder while you're "logged in" or they'll see the "hidden" filename in the address bar..... :P

/TwoD