Two Password Problems

Discussion in 'Javascript' started by Noel S Pamfree, Nov 20, 2006.

  1. Problem 1
    =======

    I need to create a page for a friend who operates a school website. She
    needs to set up a page so that only the Governors can access it. I thought
    I'd try to use JavaScript to prompt for a password. (I am only an amateur at
    writing JavaScript).

    It works fine in my tests when using Firefox but when I load the page in
    Internet Explorer it causes an error. (I am using the newest version 7 - the
    one that keeps crashing!). Somehow when you click on the button to ask for
    access to the page it doesn't prompt you for the password and a message
    about not trusting scripts appears (but you can't get to it to say yes).

    My test page is at www.uk.f2s.com/testhtm.htm and the password is "test".

    The Java script I inserted is:

    <script>
    //We will first ask the user if s/he would like to continue into this
    restricted area
    var p=confirm("This page is for Governors only and it password protected, do
    you still wish to enter?")
    if(p){

    <!-- Set Password here -->
    var ans="test"

    <!-- Enter Password here -->
    var pass=prompt("Please enter the password")

    <!-- Responses to Password here -->
    if(pass!==ans)
    {

    <!-- User clicks on 'Cancel' -->
    alert("Sorry that's wrong - you will now be returned to our home page!")
    window.location="http://www.st-louismiddle.suffolk.sch.uk"

    <!-- User enters correct password -->
    }else{window.location="http://www.uk.f2s.com"}

    <!-- User enters incorrect password -->
    }else{alert("You will be returned to our home page")
    window.location="http://www.st-louismiddle.suffolk.sch.uk"}
    </script>

    Problem 2
    =======

    I want asterisks to appear when the password is entered and not have the
    characters appear on the screen but I don't know how to do it in JavaScript.
    If anyone knows of a webpage that will help I would be very grateful.

    Any help appreciated.

    Noel
    Noel S Pamfree, Nov 20, 2006
    #1
    1. Advertising

  2. Noel S Pamfree

    web.dev Guest

    Noel S Pamfree wrote:
    > Problem 1
    > =======
    >
    > I need to create a page for a friend who operates a school website. She
    > needs to set up a page so that only the Governors can access it. I thought
    > I'd try to use JavaScript to prompt for a password. (I am only an amateur at
    > writing JavaScript).


    If you want security, then your friend is going about it the wrong way.
    This method is easy to circumvent. For example, I can either turn
    javascript off, or look at the source code to get the password.

    > Problem 2
    > =======
    >
    > I want asterisks to appear when the password is entered and not have the
    > characters appear on the screen but I don't know how to do it in JavaScript.
    > If anyone knows of a webpage that will help I would be very grateful.


    Don't use prompts to ask for a password. Use forms instead. There is
    a password type input control which does this for you:

    <input type = "password">

    Handle your authentication server-side.
    web.dev, Nov 20, 2006
    #2
    1. Advertising

  3. Noel S Pamfree wrote:

    > I need to create a page for a friend who operates a school website. She
    > needs to set up a page so that only the Governors can access it. I thought
    > I'd try to use JavaScript to prompt for a password. (I am only an amateur
    > at writing JavaScript).


    The client is the wrong place to try to put security.

    > <script>


    Invalid HTML.

    > <!-- Set Password here -->
    > var ans="test"
    >
    > <!-- Enter Password here -->
    > var pass=prompt("Please enter the password")


    > <!-- Responses to Password here -->
    > if(pass!==ans)


    So "If user types in something other than the password they can see by using
    View > Source in their browser."...

    > alert("Sorry that's wrong - you will now be returned to our home page!")


    Punish them for their slight typo by sending them back to the start.

    > <!-- User enters correct password -->
    > }else{window.location="http://www.uk.f2s.com"}


    Otherwise send them to the secret URL they can find out by viewing source.

    > <!-- User enters incorrect password -->
    > }else{alert("You will be returned to our home page")


    Otherwise? The script can never get here.

    > Any help appreciated.


    Find out what facilities your webserver has for password protection. It
    likely has some facility for HTTP Basic Authentication built it, and may
    have server side scripting facilities with which you can do fancier login
    systems.

    If it doesn't have such functionality - find better hosting, or give up on
    the idea of security.

    --
    David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
    Home is where the ~/.bashrc is
    David Dorward, Nov 20, 2006
    #3
  4. Noel S Pamfree wrote:

    > Problem 1
    > =======
    >
    > I need to create a page for a friend who operates a school website. She
    > needs to set up a page so that only the Governors can access it. I thought
    > I'd try to use JavaScript to prompt for a password. (I am only an amateur at
    > writing JavaScript).
    >
    > It works fine in my tests when using Firefox but when I load the page in
    > Internet Explorer it causes an error. (I am using the newest version 7 - the
    > one that keeps crashing!). Somehow when you click on the button to ask for
    > access to the page it doesn't prompt you for the password and a message
    > about not trusting scripts appears (but you can't get to it to say yes).
    >
    > My test page is at www.uk.f2s.com/testhtm.htm and the password is "test".
    >
    > The Java script I inserted is:
    >
    > <script>
    > //We will first ask the user if s/he would like to continue into this
    > restricted area
    > var p=confirm("This page is for Governors only and it password protected, do
    > you still wish to enter?")
    > if(p){
    >
    > <!-- Set Password here -->
    > var ans="test"
    >
    > <!-- Enter Password here -->
    > var pass=prompt("Please enter the password")
    >
    > <!-- Responses to Password here -->
    > if(pass!==ans)
    > {
    >
    > <!-- User clicks on 'Cancel' -->
    > alert("Sorry that's wrong - you will now be returned to our home page!")
    > window.location="http://www.st-louismiddle.suffolk.sch.uk"
    >
    > <!-- User enters correct password -->
    > }else{window.location="http://www.uk.f2s.com"}
    >
    > <!-- User enters incorrect password -->
    > }else{alert("You will be returned to our home page")
    > window.location="http://www.st-louismiddle.suffolk.sch.uk"}
    > </script>
    >
    > Problem 2
    > =======
    >
    > I want asterisks to appear when the password is entered and not have the
    > characters appear on the screen but I don't know how to do it in JavaScript.
    > If anyone knows of a webpage that will help I would be very grateful.


    I believe the following solves both of your problems:

    <form onSubmit="return false;" name="f">
    <input type="password" name="pw">
    <input type="button" value="LOGIN"
    onClick="window.location.href = document.f.pw.value + '.htm'">
    </form>

    If your password were G5yH2iKJ, then the protected page should be named
    G5yH2iKJ.htm.

    Directory browsing is turned off at uk.f2s.com, which is a Conditio
    Sine Qua Non before using this kind of authentication.

    Suppose that the user enters a bad password, he will get a
    page-not-found error (404). I see two possible solutions:

    (1) Use .htaccess directive: Create a file named .htaccess, put
    "ErrorDocument 404 /errors/404.html" in it (one line) and upload it to
    the directory that points to www.uk.f2s.com. If there is already a
    ..htaccess file, just add "ErrorDocument 404 /errors/404.html" as a new
    line at the bottom of it. /errors/404.html thus becomes the location to
    catch page-not-found errors, like www.uk.f2s.com/notexist.htm.

    (2) Before invoking the window.location.href command, send a
    XMLHttpRequest to fetch the HTTP status code. This way one could
    perform the location change (URL exists) or show an error to the user
    (bad password, URL doesn't exist). Search for "Does a url exist?" on
    http://www.jibbering.com/2002/4/httprequest.html for the recommended
    way to perform such a check.

    Hope this helps,

    --
    Bart
    Bart Van der Donck, Nov 22, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page