SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Thread: intranet

Hybrid View

  1. #1
    SitePoint Enthusiast Heg's Avatar
    Join Date
    Dec 2001
    Location
    AZ
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    intranet

    I know that the best way for password protecting a page is a server side script,
    but I am curious about this:

    Couldn't you make your company intranet the simple way: just make it part of your website.

    It would have 2 levels of "security". First, you would have to know the exact URL to get to it.
    (There would be no link to it). example: www.mycompany.com/intra/enter.html

    The 2nd level would be this script:

    <script language="JavaScript">
    <!--

    var password = prompt("Enter Password for Access","")

    if (password !="yourPW")

    { top.location="about:Invalid Password" }
    //-->
    </script>

    Everyone in the company would have to be told the URL and the password.
    Wouldn't that keep our intranet private? If I used "no-index" in the meta tag for enter.html,
    and since you can't see the source code unless you type the correct password, it seems this intranet is private.

    I am a newbie, so there may be something obvious I am failing to see.

  2. #2
    Prolific Blogger silver trophy Technosailor's Avatar
    Join Date
    Jun 2001
    Location
    Before These Crowded Streets
    Posts
    9,446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It would be great if it were that simple. However, it is only too easy to turn off your browsers ability to execute javascript, thus opening up your private network to be a public resort. You haver to remember that Javascript (an VBScript) are CLIENT-side languages meaning that they don't occur until the site is loaded onto your computer. All you have to do is change how your CLIENT software (i.e. your browser)interprets the HTML. That is why server-side scripting is the best for security. YOUR serve controls what goes to the browser. If the private information never makes it as far as Joe Schmoe's browser, he can't find nifty little not-so-secret ways around your security. Also, unless specially coded, even a private URL can be discovered by those search engine spiders.

    Sketch
    Aaron Brazell
    Technosailor



  3. #3
    SitePoint Enthusiast Heg's Avatar
    Join Date
    Dec 2001
    Location
    AZ
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting and enlightening. Thanks Sketch.

  4. #4
    SitePoint Addict -TheDarkEye-'s Avatar
    Join Date
    Mar 2001
    Location
    canada
    Posts
    286
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, this isnt the best way to do this but i guess it still works. one way to improve your script would be to do something like this:

    Code:
    function Getstats() {
      var iId;
      var iPass;
    
      iId = document.iAccInput.iId.value
      iPass = document.iAccInput.iPass.value
    
      if (iId == "" || iPass == "")
      {
        alert('You must enter all details to procceed.');
      }
      else
      {
        var location = (iId + "/" + iPass + ".html");
        this.location.href = location;
      }
    }
    this isnt realy in the best shape... i just ripped it out of an old test page i did so youll probly wana change it a bit to suit you. anyways, just have a form set up to input the id and password and then exicute that function.

    the basic idea is that, as long as the user cannot view the contents your directories, they wont be able to find out the user name and password.

  5. #5
    SitePoint Enthusiast Heg's Avatar
    Join Date
    Dec 2001
    Location
    AZ
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    function Getstats()
    Thanks for the script. Much better.

  6. #6
    SitePoint Zealot matiefert's Avatar
    Join Date
    Nov 2001
    Location
    Bay area, California
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And just be sure that the password JavaScript is not within the page that asks for the password. Instead - link to the script (in a separate file) from that page. Otherwise, users can merely View Source to get the password. (We had an inadvertant intelligence test like that at a company I worked for once...)

    cheers,

    Marj

  7. #7
    SitePoint Wizard creole's Avatar
    Join Date
    Oct 2000
    Location
    Nashvegas Baby!
    Posts
    7,845
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The page you link to would have to be outside the webroot though or the user could still get to the information. Javascript isn't really a good method for password protecting. Like Sketch mentions it runs on the clients browser, not on the server.

    A quick and easy way to password protect would be to use the OS itself. Apache server offer htaccess password protection and NT/2000 servers offer a similar method. The directory itself has a "script" that runs when the index page is loaded. That script pops up a box that asks for a username and password. Without that information the page will never even load.
    Adobe Certified Coldfusion MX 7 Developer
    Adobe Certified Advanced Coldfusion MX Developer
    My Blog (new) | My Family | My Freelance | My Recipes

  8. #8
    Yugo full of anvils bronze trophy hillsy's Avatar
    Join Date
    May 2001
    Location
    :noitacoL
    Posts
    1,859
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only really fail-safe way to protect your intranet though (from our IS department's point of view anyway) is drop the whole thing on the WAN behind the firewall and deny any access unless thru the VPN.

    The best way to ensure security is to be absolutely paranoid. Really.

    The hoops I'm having to jump through to expose part of our intranet on a client-support extranet are really quite incredible - but understandable....
    that's me!
    Now A Pom. And a Plone Nut
    Broccoli Martinez Airpark


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •