Does anyone have a script I could use?

I was looking around the javascript dump sites on how to create a username/password challenge on one of my pages, so that when a user enters the correct (username & password) it enters them through to some secured pages.

I understand HTML, but little of Javascript or Java.
If their is something you could throw at me that is relatively low security (and easy) that I can work on to tweak to my site I would appreciate it.

Thanks,
If you have any questions let me know.

PG

It can be done with java script using a cookie but I really do not reccommend that. However some of the people here can probably help you with a simple ap if you would like to do this server side. What server side language does your server support? Oh yea I forgot another method, it would not be a login but if you want to password protect a page you can just use the gate keeper method, that is where you redirect them to a url but they have to enter a part you select into a text box and you name the file something weird like kuffufin.html or something and it will redirect them to the page depending on what they enter in the box, if its wrong they get a 404 error. Do you follow that? But that method is not very safe because someone can just know the page url to go around. Anyways which of the three methods I mentioned do you prefer?

These are the ways it can be done with java script, they are not actual logins for the most part they are just password protecting. http://www.javascriptkit.com/script/cutindex6.shtml

Originally posted by PeOfEo
...for the most part they are just password protecting. http://www.javascriptkit.com/script/cutindex6.shtmlThe scripts on that page aren't protecting anything. If you want decent protection in javascript look into SHA1 or MD5 encrytion http://pajhome.org.uk/crypt/md5/

Some of them do have encryption, but even if you do MD5 with javascript the problem is that someone can still view your source, and say "Oh, I just have to type this into a cookie and im in"

Thats why I dont use java script for such matters :) Plus with java script you cannot actually access a data base and update user stats or utilise session variables like you could with asp or php or something, thats why I asked what server side language his server supports hopeing that nomatter what it supports someone will be able to give him some very simple server side codes that will do what he is looking for :cool:

but even if you do MD5 with javascript the problem is that someone can still view your source, and say "Oh, I just have to type this into a cookie and im in"You missed the point of encryption. All they see in the source in the encrypted string. They cannot retrieve a string that will generate the same hash (assuming a secure algorithm is used, such as the ones pyro listed).

Yes, they don't know the string that was hashed, but they can still gain access to whatever its protecting.

but they can still gain access to whatever its protectingThis is a generalization. And, considering the number of insecure JavaScripts floating around out there, it is generally true. But, a page secured by JavaScript is possible.

I fount the following script on this javascript site... the only things it that the page where you direct them has to be exactaly 8 letters long... also you might want to make this page non-rightclickable... Just copy and paste this script and save it as a .html file... Then you can create password things... The only bad thing is you have to do it by hand...



<HTML>
<HEAD>
<TITLE>LOGIN</TITLE>
</HEAD>
<BODY>

<center><table border=1>
<tr><form name=members><td rowspan=4>
<select name=memlist size=10 onChange="showmem(this.form)">

<!-- "member name | password | destination pagename |" -->
<option selected value="John Smith|password|mainpage|">John Smith
</select></td>
<td align=right>User:</td><td><input type=hidden value="0" name=entry>
<input type=text name=memname size=8 value=""></td></tr>
<tr><td align=right>Password:</td><td><input type=text name=password size=8 maxlength=8><font size="-1"><-- Must be exactly 8 characters</font></td></tr>
<tr><td align=right>Page Name:</td><td><input type=text name=pagename size=8 maxlength=8><b>.html</b><font size="-1"><-- Must be exactly 8 characters</font></td></tr>
<tr><td colspan=2 align=center>
<input type=button value="New User" onclick="addnew(this.form);">
<input type=button value="Delete User" onclick="delthis(this.form);">
<input type=button value="Update/Show Coding" onclick="update(this.form); create(this.form);"></td></tr>
<tr><td colspan=3 align=center>
<input type=text size=60 name=message value="Note: Password/Page Name must be exactly 8 letters! (a-z)">
<input type=hidden name=num value=1></td>
</form></tr>
</table>
<hr size=2 width=75%>
<form name=js><textarea cols=75 rows=10 name=scrpt wrap=virtual>
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
var params=new Array(4);
var alpha="ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI";
function check(form) {
which=form.memlist.selectedIndex;
choice = form.memlist.options[which].value+"|";
if (choice=="x|") {
alert("Please Select Your Name From The List");
return;
}
p=0;
for (i=0;i<3;i++) {
a=choice.indexOf("|",p);
params[i]=choice.substring(a,p);
p=a+1;
}
h1=makehash(form.pass.value,3);
h2=makehash(form.pass.value,10)+" ";
if (h1!=params[1]) {
alert("Incorrect Password!"); return; };
var page="";
for (var i=0;i<8;i++) {
letter=params[2].substring(i,i+1)
ul=letter.toUpperCase();
a=alpha.indexOf(ul,0);
a-=(h2.substring(i,i+1)*1);
if (a<0) a+=26;
page+=alpha.substring(a,a+1); };
top.location=page.toLowerCase()+".html";
}
function makehash(pw,mult) {
pass=pw.toUpperCase();
hash=0;
for (i=0;i<8;i++) {
letter=pass.substring(i,i+1);
c=alpha.indexOf(letter,0)+1;
hash=hash*mult+c;
}
return(hash);
}
// End -->
</script>
</textarea>
</form>

<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
var params=new Array(4);
var script=document.js.scrpt.value;
document.js.scrpt.value="Your code pops up here";
var alpha="ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI";
showmem(document.members);
function showmem(form) {
document.members.num.value=document.members.memlist.length;
var which=form.memlist.selectedIndex;
splt(form.memlist[which].value);
form.entry.value=which+1;
for (i=2;i<5;i++) {
form.elements[i].value=params[i-2]; };
}
function splt(choice) {
p=0;
for (i=0;i<3;i++) {
a=choice.indexOf("|",p);
params[i]=choice.substring(a,p);
p=a+1;
}
}
function addnew(form) {
newmem=getfields(form);
var who=prompt("New User's Name:","");
form.memlist[form.memlist.length] = new Option(who, newmem, false, true);
if (navigator.appName=="Netscape") {
document.js.scrpt.value=script;
history.go(0);
}
else {
showmem(document.members);
}
}
function getfields(form) {
newmem="";
for (i=2;i<5;i++) {
newmem+=form.elements[i].value+"|"; };
for (i=3;i<5;i++) {
a=form.elements[i];
for (k=0;k<8;k++) {
}
}
return(newmem);
}
function delthis(form) {
if (confirm("Delete "+form.memname.value+"?")) {
form.memlist.options[form.entry.value-1]=null;
form.message.value=form.memname.value+" Deleted";
form.memlist.selectedIndex=0;
if (navigator.appName=="Netscape") {
document.js.scrpt.value=script;
history.go(0);
}
else {
showmem(document.members);
}
}
}
function update(form) {
msg="no";
a=form.elements[i];
for (k=0;k<8;k++) {
b=a.value.substring(k,k+1);
c=b.toUpperCase();
form.memlist[form.entry.value-1].value=getfields(form);
form.message.value=form.memname.value+"'s record was updated";
}
}
function create(form) {

var html="<center><form name=login>\n";
html+='<tr><td colspan=2 align=center><font size="+2">';
html+='<b>Members Only</b></font></td></tr>\n';
html+="<tr><td>Username:</td><td><select name=memlist>\n<option value='x'>";
for (j=0;j<form.memlist.length;j++) {
splt(form.memlist.options[j].value);
h1=makehash(params[1],3);
h2=makehash(params[1],10)+" ";
var page="";
for (var i=0;i<8;i++) {
letter=params[2].substring(i,i+1);
ul=letter.toUpperCase();
a=alpha.indexOf(ul,0);
a+=(h2.substring(i,i+1)*1);
page+=alpha.substring(a,a+1);
}
html+="\n<option value='"+params[0]+"|"+h1+"|"+page+"'>"+params[0];
};
html+="\n</select></td></tr>\n";
html+="<tr><td>Password:</td><td><input type=password size=10 maxlength=8 name=pass></td></tr>\n";
html+='<tr><td colspan=2 align=center><input type=button value="Login" onclick="check(this.form)"></td>\n';
html+="</tr>\n</table>\n</form>\n";
document.js.scrpt.value=html+script+"</center>";
}
function makehash(pw,mult) {
pass=pw.toUpperCase();
hash=0;
for (i=0;i<8;i++) {
letter=pass.substring(i,i+1);
c=alpha.indexOf(letter,0)+1;
hash=hash*mult+c;
}
return(hash);
}
// End -->
</script>
</center>

This is actually just another classic insecure script. The developer, who is obviously far from being a cryptologist, attempted to write their own hashing function. And the result if far from secure. As has already been stated several times, algorithms such as SHA-1 or MD5 should be used. These were developed by reputable cryptographers and/or government agencies, and have been tested, attacked, and analyzed by the best cryptographers for years.

Need a script to enter into 'member's only' secure page
Does anyone have a script I could use?

I am still looking into this.
Not sure which is going to work yet. Will get back to you later.



Thanks ALL!

Originally posted by jeffmott
This is a generalization. And, considering the number of insecure JavaScripts floating around out there, it is generally true. But, a page secured by JavaScript is possible. Well only if it uses a cookie, and you did not like that method. If its just a gate keeper deal all they have to know is the after url.

Well only if it uses a cookieThis would actually add insecurity. I'm assuming your idea is to set a cookie given a correct password then all restricted pages check for the cookie's existence? But what if scripting was disabled when visiting the restricted pages? They would be able to skip that check and continue on.If its just a gate keeper deal all they have to know is the after urlSuch as a script redirecting to a hidden URI? Is this what you are referencing to? If so then I would have to ask, how is security based on keeping the URI hidden different from keeping the password hidden?

That was his point-a gatekeepers script is useless.

You missed my point, which was it isn't. But if you're so sure then feel free to show us how useless it is.
http://jmott.hypermart.net/js-protected/

Ok well im not going to try to crack it or anything-but ok maybe it is possible to create decent protection with javascript.
Just wondering-on the protected page, how do you verify that the person is logged in?

Just wondering-on the protected page, how do you verify that the person is logged in?You don't. :)

Obviously JavaScript cannot fully replace the capabilities of a server-side method. But it can protect a page/section. The idea here is that the security relies on the secrecy of the URI, whereas in a true login system the security relies in the secrecy of the password. The principles are the same, they both rely on a particular string being kept secret. The major problem with other JavaScript methods that follow this same design is the developers make an attempt at their own (ultimately insecure) hashing functions, which allow the needed password to be computed from the hash value that must be in the source.

Suddenly makes sense when you put it that way-either way you are hiding a string. Just gotta make sure that your server doesn't allow listing of directory contents, and use htaccess to block googleBot and other search engines from indexing your 'secret page'. Then again-if you can do that you can surely use serverside.

Like I asked at the beginning what server side language does this server support. Because one of use here can design an on target system using a server side in one or two small simple files. And jeff have you never seen a gate keeper? Tnhe after page url has the password in it, and you have the full url in the code minus the one section you use as the password and if they type in the wrong password the get a 404 but all one has to know is the after url by someone leaking it or something or they can guess it and boom they are in, its not an actual login or check. I also aggree the cookie mthod is horrible but atleast it checks for something. The only sure fire security system is with a server side I am afraid.

Tnhe after page url has the password in itThe JS protection scheme I posted doesn't.all one has to know is the after url by someone leaking it or something or they can guess it and boom they are inAnd in every other protection scheme all one has to know is the password by someone leaking it or something they can guess and boom they are in. Does this help you see the point yet? I'm running out of ways to tell it hoping for you to understand.

Yes the idea of normal password protection is
The password string is secret.
The idea of gatekeeper is
The URL string is secret.

Originally posted by jeffmott
The JS protection scheme I posted doesn't because I am talking about a gate keeper and you are not :).And in every other protection scheme all one has to know is the password by someone leaking it or something they can guess and boom they are in. Does this help you see the point yet? I'm running out of ways to tell it hoping for you to understand. What I mean is not like the password is this I am talking about someone saying something like hey look at this and leaving a link like on a forum like, I am saying its a lot easyer because someone will unintentionally aim someone a link or drop it on this forum.

Yes, thats true. You could check and make sure the referer is your login page.
But jeffmott already said, he also doesn't think javascript can replace a serverside implementation.

I have said that too, so what languages will your server support.