I use the following code to allow users to access a password protected area of my site.


function Login(form)
{
var username = form.username.value;
var password = form.password.value;
var server = form.server.value;

var htsite = "http://" + username + ":" + password + "@" + server;
window.location = htsite;
}


<form name=login>

<input type="hidden" name="server" value="www.url.com/securepage/">

<b>Username:</b><input type=text name=username size=20>
<b>Password:</b><input type=password name=password size=20>
<input type=button value="Login!" onClick="Login(this.form)" name="button">

</form>




But I have been advised that this is not very secure and using the following link would be better.

<A HREF="www.url.com/securepage/">Members login</A>

This works ok.
Can anyone explain the pros/cons of the first method.
My site has been mentioned in alt.hacking but I don't understand much about web design, security.
Any help gratefully accepted.

As long as your server is checking that the usernames and passwords are correct, you will have reasonably secure login. If in the first method the username and password are being checked by the server then it should be secure.

i didnt understand execlly your explenation
can u please explain again

The first code requires Javascript, which means your page is inaccessible to the 13% or so of web users with JS disabled, and violates accessibility legislation. As cijori said, it is relatively secure (assuming the server checks the username/password), but you should use a server-side login script that does not require Javascript.

Adam