Two Password Problems

[Noel S Pamfree]

Problem 1
=======

I need to create a page for a friend who operates a school website. She
needs to set up a page so that only the Governors can access it. I thought
I'd try to use JavaScript to prompt for a password. (I am only an amateur at
writing JavaScript).

It works fine in my tests when using Firefox but when I load the page in
Internet Explorer it causes an error. (I am using the newest version 7 - the
one that keeps crashing!). Somehow when you click on the button to ask for
access to the page it doesn't prompt you for the password and a message
about not trusting scripts appears (but you can't get to it to say yes).

My test page is at www.uk.f2s.com/testhtm.htm and the password is "test".

The Java script I inserted is:

<script>
//We will first ask the user if s/he would like to continue into this
restricted area
var p=confirm("This page is for Governors only and it password protected, do
you still wish to enter?")
if(p){

<!-- Set Password here -->
var ans="test"

<!-- Enter Password here -->
var pass=prompt("Please enter the password")

<!-- Responses to Password here -->
if(pass!==ans)
{

<!-- User clicks on 'Cancel' -->
alert("Sorry that's wrong - you will now be returned to our home page!")
window.location="http://www.st-louismiddle.suffolk.sch.uk"

<!-- User enters correct password -->
}else{window.location="http://www.uk.f2s.com"}

<!-- User enters incorrect password -->
}else{alert("You will be returned to our home page")
window.location="http://www.st-louismiddle.suffolk.sch.uk"}
</script>

Problem 2
=======

I want asterisks to appear when the password is entered and not have the
characters appear on the screen but I don't know how to do it in JavaScript.
If anyone knows of a webpage that will help I would be very grateful.

Any help appreciated.

Noel

 

[web.dev]

Problem 1
=======

I need to create a page for a friend who operates a school website. She
needs to set up a page so that only the Governors can access it. I thought
I'd try to use JavaScript to prompt for a password. (I am only an amateur at
writing JavaScript).

If you want security, then your friend is going about it the wrong way.
This method is easy to circumvent. For example, I can either turn
javascript off, or look at the source code to get the password.

Problem 2
=======

I want asterisks to appear when the password is entered and not have the
characters appear on the screen but I don't know how to do it in JavaScript.
If anyone knows of a webpage that will help I would be very grateful.

Don't use prompts to ask for a password. Use forms instead. There is
a password type input control which does this for you:

<input type = "password">

Handle your authentication server-side.

 

[David Dorward]

I need to create a page for a friend who operates a school website. She
needs to set up a page so that only the Governors can access it. I thought
I'd try to use JavaScript to prompt for a password. (I am only an amateur
at writing JavaScript).

The client is the wrong place to try to put security.

<script>

Invalid HTML.

<!-- Set Password here -->
var ans="test"

<!-- Enter Password here -->
var pass=prompt("Please enter the password")

<!-- Responses to Password here -->
if(pass!==ans)

So "If user types in something other than the password they can see by using
View > Source in their browser."...

alert("Sorry that's wrong - you will now be returned to our home page!")

Punish them for their slight typo by sending them back to the start.

<!-- User enters correct password -->
}else{window.location="http://www.uk.f2s.com"}

Otherwise send them to the secret URL they can find out by viewing source.

<!-- User enters incorrect password -->
}else{alert("You will be returned to our home page")

Otherwise? The script can never get here.

Any help appreciated.

Find out what facilities your webserver has for password protection. It
likely has some facility for HTTP Basic Authentication built it, and may
have server side scripting facilities with which you can do fancier login
systems.

If it doesn't have such functionality - find better hosting, or give up on
the idea of security.

 

[Bart Van der Donck]

Problem 1
=======

I need to create a page for a friend who operates a school website. She
needs to set up a page so that only the Governors can access it. I thought
I'd try to use JavaScript to prompt for a password. (I am only an amateur at
writing JavaScript).

It works fine in my tests when using Firefox but when I load the page in
Internet Explorer it causes an error. (I am using the newest version 7 - the
one that keeps crashing!). Somehow when you click on the button to ask for
access to the page it doesn't prompt you for the password and a message
about not trusting scripts appears (but you can't get to it to say yes).

My test page is at www.uk.f2s.com/testhtm.htm and the password is "test".

The Java script I inserted is:

<script>
//We will first ask the user if s/he would like to continue into this
restricted area
var p=confirm("This page is for Governors only and it password protected, do
you still wish to enter?")
if(p){

<!-- Set Password here -->
var ans="test"

<!-- Enter Password here -->
var pass=prompt("Please enter the password")

<!-- Responses to Password here -->
if(pass!==ans)
{

<!-- User clicks on 'Cancel' -->
alert("Sorry that's wrong - you will now be returned to our home page!")
window.location="http://www.st-louismiddle.suffolk.sch.uk"

<!-- User enters correct password -->
}else{window.location="http://www.uk.f2s.com"}

<!-- User enters incorrect password -->
}else{alert("You will be returned to our home page")
window.location="http://www.st-louismiddle.suffolk.sch.uk"}
</script>

Problem 2
=======

I want asterisks to appear when the password is entered and not have the
characters appear on the screen but I don't know how to do it in JavaScript.
If anyone knows of a webpage that will help I would be very grateful.

I believe the following solves both of your problems:

<form onSubmit="return false;" name="f">
<input type="password" name="pw">
<input type="button" value="LOGIN"
onClick="window.location.href = document.f.pw.value + '.htm'">
</form>

If your password were G5yH2iKJ, then the protected page should be named
G5yH2iKJ.htm.

Directory browsing is turned off at uk.f2s.com, which is a Conditio
Sine Qua Non before using this kind of authentication.

Suppose that the user enters a bad password, he will get a
page-not-found error (404). I see two possible solutions:

(1) Use .htaccess directive: Create a file named .htaccess, put
"ErrorDocument 404 /errors/404.html" in it (one line) and upload it to
the directory that points to www.uk.f2s.com. If there is already a
..htaccess file, just add "ErrorDocument 404 /errors/404.html" as a new
line at the bottom of it. /errors/404.html thus becomes the location to
catch page-not-found errors, like www.uk.f2s.com/notexist.htm.

(2) Before invoking the window.location.href command, send a
XMLHttpRequest to fetch the HTTP status code. This way one could
perform the location change (URL exists) or show an error to the user
(bad password, URL doesn't exist). Search for "Does a url exist?" on
http://www.jibbering.com/2002/4/httprequest.html for the recommended
way to perform such a check.

Hope this helps,