SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Oct 1999
    Location
    Denmark
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello.. I am a webmaster of a large fansite for Savage Garden. A danish one, cause I live there folks!
    Well.. I have created a quite sophisticated logon system for the site. It is based in Java Script, where the user enters a name and a password in a form. It is prosessed like this: If (username) = (myusename) && (password) = (mypasword) then open the page, otherwise reject the user..
    BUT! I have to exclude all Netscape users because Netscape writes an error: "parent.info.logform. has no propperties."
    I must tell that the values are processed through a hidden frame in the top wich I use for storing the values, so the different pages inside can call them up later.. I refuse to use cookies for security reasons!
    Please tell me why Netscape does this!!

  2. #2
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You refuse to use cookies for security reasons yet post all the userids and passwords in a hidden frame that will take any one with a little bit of knowledge ten seconds to get into?

    I find that a little hard to believe. Anyway you currently have no security. I would look into using either .htaccess files or a CGI (PERL, PHP, ASP) solution instead of Javascript. Javascript is not secure in the least. One look at the source code and its all blown apart.

    ------------------
    Wayne Luke - Sitepoint Forums Administrator
    Digital Magician Magazine - MetaQuark Creations (Coming Soon)
    sitepoint@digitalmagician.com

  3. #3
    SitePoint Wizard
    Join Date
    Jul 1999
    Location
    Chicago
    Posts
    2,629
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cookies don't pose a security risk. Unless they can be found by domains other than who set them, they are harmless security-wise.

    They in a way be used to invade your privacy but they can't hold the user's credit card number, for example, without them typing it in.

    P.S. I notice you use a Javascript to stop people from looking at the source. That doesn't protect at all.

    [This message has been edited by d3v (edited July 12, 2000).]

  4. #4
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Holmberg,

    I went to your Website and downloaded your list of usernames and passwords:

    if (parent.mailbox.logform.usr.value == 'djc*****' && parent.mailbox.logform.psswd.value == 'ms*****') { doLogin(1) }
    else if (parent.mailbox.logform.usr.value == 't***' && parent.mailbox.logform.psswd.value == 'su*****') { doLogin(2) }
    ...


    Notice I've put *'s over some of the values, but, as I've demonstrated, any experienced Web developer can obtain a complete list of usernames and passwords to your site in about 1 minute.

    For the record, the following code will work as you expect it to in Netscape and MSIE. But as you can see it is a very very bad idea to rely on this code to provide any kind of security for your site. Even if you are happy with a false sense of security, your users will not be!

    if (parent.frames['mailbox'].document.forms['logform'].elements['usr'].value == 'djc*****' && parent.frames['mailbox'].document.forms['logform'].elements['passwd'].value == 'ms*****') { doLogin(1) }
    else if (parent.frames['mailbox'].document.forms['logform'].elements['usr'].value == 't***' && parent.frames['mailbox'].document.forms['logform'].elements['passwd'].value == 'su*****') { doLogin(2) }
    ...



    ------------------
    -Kevin Yank.
    http://www.SitePoint.com/
    Helping Small Business Grow Online!

    [This message has been edited by kyank (edited July 12, 2000).]

  5. #5
    SitePoint Member
    Join Date
    Oct 1999
    Location
    Denmark
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay listen up folks...
    This site is not Yahoo! or something, and people donīt keep private stuff in there. The only reason we use the password protection is to keep other Savage Garden fans from stealing our material. When we add new users, we tell them to use a password that does NOT appear anywhere else. We also ask the user, in detailed instructions, to delete all temporary downloaded material.
    We know that "Right click protection" does not offer security, since the files and images are downloaded into a temporary folder, but the reason for using it is again; we would like to prevent other fans from stealing our material. Not many of thoose Savage Garden fans in Denmark knows how a webpage works. Believe me.. Iīve checked that.
    We are working on implimenting a new logon system, based on a java applet, and a random script wich modifies the logon files name each time it is downloaded...

    And to you who posted a solution for my Netscape problem. Wich was the only actual reason for me to write here.. Thank you! I really like when folks help out in an honnest way!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •