protecting a link to a page

[Lee]

Xerxes said:

Hi,
how can I activate a login when someone clicks on a link? I want only
authorized users to have access to the pages accessible through the
links.

Anything involving security should be done on the server,
not on the pages that are sent to the client.
Your web hosting service should be able to help you.

 

[David Dorward]

how can I activate a login when someone clicks on a link? I want only
authorized users to have access to the pages accessible through the
links.

Not with JavaScript (at least not with client side JavaScript).

Most webservers have some kind of built in functionality, or you can
implement a login system in just about any server side programming language
your server supports (you can use postscript if you are feeling insane, but
Perl, PHP and JSP are better bets (Windows users might want to look at
ASP)).

 

[Xerxes]

Hi,
how can I activate a login when someone clicks on a link? I want only
authorized users to have access to the pages accessible through the
links.

Thanks.

 

[kaeli]

Hi,
how can I activate a login when someone clicks on a link? I want only
authorized users to have access to the pages accessible through the
links.

Put them in their own directory and protect the directory with decent
security.
..htaccess works great for Apache servers and IIS has it's own mechanism.

This has nothing at all to do with javascript. Javascript should *never*
be used to implement security.

--
--
~kaeli~
Jesus saves, Allah protects, and Cthulhu thinks you'd make
a nice sandwich.
http://www.ipwebdesign.net/wildAtHeart
http://www.ipwebdesign.net/kaelisSpace

 

[Grant Wagner]

Hi,
how can I activate a login when someone clicks on a link? I want only
authorized users to have access to the pages accessible through the
links.

Thanks.

Any "security" you provide via client-side Javascript is no security at
all.

Secure the login process on the server.

Then go a step further and make it difficult to automate a process that
simply tries every password for an account... for example, disable the
account for 10 minutes after 3 successive login failures on an account.

It is unbelievably easy to write applications that will just try to POST
to an ACTION repeatedly with different values for the inputs. This is
precisely why if you fail to provide the correct password to Yahoo! Mail
(for example), it displays an image with machine unreadable text and asks
the user to provide the word. This eliminates any possiblity of an
automated tool hacking away at accounts until it discovers the password.

 

[Xerxes]

Hi and thanks for the reply.
The link is supposed to play a streaming video, hosted by
brandbandvideo.com. If it was to open another page, I could "protect"
the page through the web hosting company admin page so it would
automatically ask for user id and password. But since the link would
open Windows Media Player, I am not sure how to proceed.
I apologize for simple question.

 

[Grant Wagner]

If the final destination is hosted on a server with no server
authentication, there isn't really anything you can do either client or
server-side to prevent someone from simply bookmarking the final location.

Store the video with some incredibly strange file name, then add server
authentication to a page you host that has a link to the incredibly strange
and hard to guess file name of the video. Of course, once someone has that
link, they can simply post it for all the world to see somewhere else.

Or, a variation on the above might be (if you can manipulate the file hosted
on brandbandvideo.com from your server)... have server-side processing on
your server create a symlink to the video with a really strange name, then
generate a link to that strange name. Have a nightly job remove all the
symlinks created that day. That way, each visit to your protected page
hosted on your server creates a link that is effectively useless the next
day.

What you want to do can not be done using client-side Javascript, and unless
I'm missing something simple and obvious, it can't be done very effectively
server-side either.