I want a password script. Though i want to see if it is possible to have it as html NOT JavaScript. I don't think it is possible but if there is a "html" password script that asks you 'The Password" as soon as you enter the page. Can someone please tell me.
Because if the script was "JavaScript", a user who disabled javascript could sneak past?

Without javascript, you can do it only with a server side language like PHP, ASP, Perl etc. because because HTML can not read or write from or to another file.

HTML is markup, not scripting. Which naturally means you can't do any kind of scripting with it.

this might be of some help, of course i didnt write it. Got it from a guide(idiots guide) but its not too shabby. Not top notch but gives you decent security.

step 1:
place this code/tag somewhere within the body of the page you want the link at:

<A HREF="javascript:GetPassword()">link</A>

step 2:
on that same page, between the </HEAD> tag and the <BODY> tag put this code:

<SCRIPT LANGUAGE="JavaScript">
<!--
function GetPassword() {
window.open("jspass.htm", "","width=225,height=50")
}
//-->
</SCRIPT>

step 3:
now, when someone hits the "link" tag in step one, you'll be sent to the next HTML page. This is the entire page you will create exactly as I write it below and call it "jspass.htm". This is a password page, kinda a between page in my mind. This page will ask for a password. Basically the password will be the name of the page you want to goto. Since only you and the people with the name of the page can input it and goto that page, it works nicely. No password is ever contained in the script for someone to get. The name of whatever page you want to goto is the password. Get it? Here is the jpass.htm page exactly as it should be(NOTE: you will notice within this code the ext. of the target page is considered to end in .htm, but you can change this to .html if you like):

<HTML>
<HEAD>
<TITLE>Password Required</TITLE>
</HEAD>

<SCRIPT LANGUAGE="JavaScript">
<!--

function SubmitPassword(frm)
{
//
// Get the value entered into the text box
//
var password = frm.pw.value
//
// Convert it to lowercase
//
password = password.toLowerCase()
//
// Add the .htm extension
//
var loc = password + ".htm"
//
// Make sure the user entered something
//
if (password != "")
{
//
// If so, send the browser there
//
opener.location.href = loc
}
//
// Close this window
//
window.close()
}

//-->
</SCRIPT>

<BODY BGCOLOR="#CCCCCC">

<FORM>
This page requires a password:<BR>
<INPUT TYPE="TEXT" NAME="pw" SIZE=15>
<INPUT TYPE="BUTTON" VALUE="OK"
onClick="SubmitPassword(this.form)">
</FORM>

</BODY>
</HTML>


step 4:
just make a target page, and wahtever its name can be your password.

Now, this isnt 100% perfect but does, to me, create a reasonable amount of security. You might want to put a "noindex, nofollow" meta tag on the target page also to protect it from getting crawled.


And i dont believe that disabling javascript will help the person trying to access it because they still have to know the page or it does no good.

war

To fix up some of the errors in that code...


<A HREF="javascript:GetPassword()">link</A>


HREF="javascript:GetPassword()" is incorrrect coding.
Javascript goes in the eventhandlers, NEVER in the href="" eg

<a href="#" onclick="GetPassword();return false;">link</a>



<SCRIPT LANGUAGE="JavaScript">


Should really be
<SCRIPT type="text/JavaScript">


No password is ever contained in the script for someone to get. The name of whatever page you want to goto is the password. Get it?


Of cource you could just give the correct link directly to the page to people that are supposed to read it.
It will be just as safe (relying on noone spreading the "password"/link), much easier and also work in browsers without JavaScript.



<FORM>
This page requires a password:...


Is wrong since you never are alowed to have plain text inside <form>.

<FORM>
<p>
This page requires a password:...

eg is correct

ok then, thanks stefan.

war

comments withdrawn in good faith.

Originally posted by warbishop
[B]i didnt write the script step-on.


Yes I know, becuse you said so in your post.

Nice of you to be totally critical.

:confused:

Where is the harm in pointing out the errors and offering the correct solution?

I would in fact think my post is highly constructive and informative and help others code the right way.

Must just enjoy tearing people down. No wonder you piss so many people off. LOL

What?!?!
How on earth can posting corrections to a code that is not even yours piss you off?
I didn't say 1 single harsh word against you.

You need to relax dude...

You might want to also check out the following, and I don't think any users are going to get past just because they have JavaScript disabled.

Encrypted Password script by Rob Heslop
http://www.dynamicdrive.com/dynamicindex9/password.htm

Stefan, I don't know why people would be mad at you for fixing their mistakes. Everyone needs to learn.

warbishop, there is not such thing as a secure javascript password script. Anyone who knew enough about JavaScript could view the source and figure out what's going on.

im trying to be nice but i didnt make a mistake, i didnt write the script and it does work fine!!

war

and it doesnt matter how many times you view the source if it doesnt contain the password in it.

that is the whole point of the script

<FORM>
This page requires a password:...

--------------------------------------------------------------------------------



Is wrong since you never are alowed to have plain text inside <form>.

<FORM>
<p>
This page requires a password:...

eg is correct


Stefan, I never heard that before. Do you happen to have a link to an article or resource about that? Perhaps it's "supposed to" be done a certain way but browsers accept either?...

Originally posted by Bullschmidt
Stefan, I never heard that before. Do you happen to have a link to an article or resource about that?

Here is a link to the HTML Spec
http://www.w3.org/TR/html4/interact/forms.html#h-17.3

Here is the exact description of what you can have in a <form>

<!ELEMENT FORM - - (%block;|SCRIPT)+ -(FORM)

On this page you can read up on what that means
http://www.w3.org/TR/html4/intro/sgmltut.html

but the important thing is that it is missing %inline;, and text is inline-level content, thus you may not place text directly under <form>

You have to eg use a <p> or <div> in between
<!ELEMENT P - O (%inline;)*
<!ELEMENT DIV - - (%flow;)*
which as you can see may hold inline content (%flow; = %block; + %inline;).


Perhaps it's "supposed to" be done a certain way but browsers accept either?...

Browsers errorcorrection are normally able to recover from a huge number of code errors. Relying on browser error correction is however sloppy/amature coding practices.

If you wanted a basic password protection and didn't want to learn a server-side language and have an Apache server you could have chosen to use .htpasswd and .htaccess method to protect the online page, or directory.