Open Local File

**whiterabbit** · Oct 30, 2003 12:07

Login

client- enters company name

server- responds with random number

client- receives random number and uses it to create a string from a text file on their local computer.
client then encrypts and sends back.

server has same text file for that client and has encrypted and loaded to database ready to compare with client response.

I want to know how to open local file from client machine to read. I want to know for example how to start at character x and read x number of characters to return as string to encrypt before sending back.

I know very little of javascript

Thanks

**greg.harvey** · Oct 30, 2003 12:08

You could use a cookie. It *IS* a text file...

**whiterabbit** · Oct 30, 2003 12:18

It would have to be as txt file on local machine in case they delete cookies or something.

out of curiousity though can cookies be snooped?

**greg.harvey** · Oct 30, 2003 12:24

Not if you use a session cookie. That's server-side. The client has no control over it. Obviously, it only lasts the session though, so it depends on what you want to do with the data long-term.

"Snooped"? Not sure what you mean...

**levik** · Oct 31, 2003 01:09

Sounds like you're trying to do a very primitive version of SSL.

I don't thikn there's any way to open a file from Javascript. You can probably do it from a Java applet, but it would have to be granted the permission to access the filesystem before it would work.

**whiterabbit** · Oct 31, 2003 06:20

The session cookie might work, I only need it to last one session. Snooped I meant can the value be discovered by bad guys.

Yes primitive ssl. Initially I wanted to use ssl to send over real password then if correct exit secure server and create new temp user name and password and delete at end so no replay is possible.

The problem is stupid pop up screen that tells visitors they are leaving secure area, my boss feels clients will not liike this. This is not sensitive information just private area for clients and no real damage would result if hacked except client probably not using site anymore.

My idea was to have log in using comp name only, server responds with random number which is used to calculate return string from text document on client machine. I was thinking if I do this way then maybe even update temp password for each call to server so hijacking session also not possible without key. With this approach further encryption is not needed as password only good once and no way to guess next password.

Problem is reading key at client side. But now I am thinking maybe Flash can be used to open txt file and select correct string to send back for next page call.

Or best, anyone can tell me how to avoid stupid screen popping up alerting visitors of leaving insecure area

**greg.harvey** · Oct 31, 2003 06:33

Seems an awful lot of trouble to be going to for a client preview site! What are they previewing? Government secrets??

A friend of mine uses GUIDs to handle his password management in a similar way, behind SSL. It's a good way of doing it. I don't see why you couldn't do all of that using session variables.

**whiterabbit** · Oct 31, 2003 08:00

The secure area contains all the communications between client and company including an area to order supplies or services but no sensitive data such as credit cards is ever sent over, its boring to elite hackers but...

On the other hand the company is a lock down place with biometric security devices and cameras etc so they want to continue this feel.

Can you briefly explain GUID's.

**greg.harvey** · Oct 31, 2003 08:44

Originally Posted by whiterabbit

Can you briefly explain GUID's.

Ach.... no. Not really. It's way over my head. My mate's an ex-Microsoft guy. Scary programmer with a big brain. I can tell you it means "global unique identifier", it was a term created by Microsoft techies and they look like this:

Code:

B325EC27-4F72-428D-88AF-A40AC7CA6E74

Beyond that, you're on your own. I gather it's relatively easy to get an MS server to generate one for you though...

**whiterabbit** · Oct 31, 2003 09:39

You know I have wasted too much time on this.

I am going to convince them to use ssl for the entire session. They have maximum 100 clients and its not a place they will go to every day so I dont think it will be too much load for the server.

That is best way I think, everyone is happy but I still would like to know how I could implement the idea of reading from a text file etc... I think I will work on this and see what I can find.

Thanks for your help
Jp

**greg.harvey** · Oct 31, 2003 09:42

I think you're right to do that. Otherwise you're reinventing the wheel. Still, it is fascinating stuff...

**whiterabbit** · Oct 31, 2003 12:32

Yeah it is really interesting!

Just found a workable solution. I can send login information from insecure url to ssl in flash. Info is sent protected and I am still in unsecure page so do not have to worry about that alert message that scare the clients. : ) and I dont burden server with more ssl calls.

have good day.

**greg.harvey** · Nov 3, 2003 03:45

Hmmm... interesting. That's got to be counted as a hole in IE's security. Does that work in all browsers? Could you post a link?

User Tag List

Thread: Open Local File

Thread Tools

Display

Open Local File

Bookmarks

Bookmarks

Posting Permissions