SitePoint Sponsor

User Tag List

Results 1 to 12 of 12

Thread: Password script

  1. #1
    SitePoint Member
    Join Date
    Aug 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password script

    I have been told that the following is not a good way to protect a page. And in fact the password is actually displayed. I don't know what they mean.

    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

    <html>

    <head>
    <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
    <meta name="generator" content="Adobe GoLive">
    <title>Reference Documents</title>
    <csactions>
    <csaction name="2A2D2654" class="Password Plus" type="onevent" val0="21796140" val1="Password Accepted"></csaction>
    </csactions>
    <csscriptdict import>
    <script type="text/javascript" src="CSScriptLib.js"></script>
    </csscriptdict>
    <csactiondict>
    <script type="text/javascript"><!--
    CSAct[/*CMP*/ '2A2D2654'] = new Array(PVpassword,'21796140','Password Accepted');

    // --></script>
    </csactiondict>
    </head>

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    If the password is in JavaScript then all anyone need do to see it is view the source of the page. At worst they would need to take a copy of the script and run parts of it to get the password.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Zealot jimmy85's Avatar
    Join Date
    Aug 2009
    Posts
    174
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    run it in a secure connection too (HTTPS)

  4. #4
    SitePoint Member
    Join Date
    Aug 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Below is pretty much it. Beyond this portion is text and graphics unrelated to the script. I have seen other posts and sites that suggest th password is right out in the open. Running the script brings up the prompt but that's it.

    I have removed any reference to what the site is in case the password is indeed that easy to get.

    <head>
    <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
    <meta name="generator" content="Adobe GoLive">
    <title>Reference Documents</title>
    <csactions>
    <csaction name="2A2D2654" class="Password Plus" type="onevent" val0="21796140" val1="Password Accepted"></csaction>
    </csactions>
    <csscriptdict import>
    <script type="text/javascript" src="CSScriptLib.js"></script>
    </csscriptdict>
    <csactiondict>
    <script type="text/javascript"><!--
    CSAct[/*CMP*/ '2A2D2654'] = new Array(PVpassword,'21796140','Password Accepted');

    // --></script>
    </csactiondict>
    </head>

    <body bgcolor="#ffffff">
    <p><img src=Graphics/fflscript2.jpg alt="" height="129" width="612" border="0"></p>
    <p><b><font size="+3">Reference Document Center</font></b></p>
    <p><br>
    If you have not been given your xxxxxx Password to access these documents</p>
    <p>Please call our customer service line to get yours. 1-800-xxxxxxxxx</p>
    <p><br>
    </p>
    <p><a onclick="CSAction(new Array(/*CMP*/'2A2D2654'));return CSClickReturn()" href="#" csclick="2A2D2654">Documents </a><font size="-1">(for those with an old password use only the first 7 characters)</font></p

  5. #5
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Firstly... font tags? eww. Secondly you seem to have the same problem as before, you should not be using JavaScript to authenticate a username and password, all verification of users should be done serverside as client-side scripts are far too easily to manipulate and bypass.

  6. #6
    SitePoint Member
    Join Date
    Aug 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What I find funny is that post after post on various forums say that ......... but no one seems to be able to walk the walk, if you will.

    thank you

  7. #7
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    How do you mean? I certainly don't know any sites that use font tags anymore and certainly no-one uses client-side scripting for logins, just take the forum's you have been on, I would wager all of them used some kind of server-side authentication to login to make mosts in the first place.

  8. #8
    SitePoint Member
    Join Date
    Aug 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Fonts....whatever. I was more interested in someone 'showing' me that using that form of script is vulnerable. It seems just like the other forums it's apparently not the thing to do, but no one is actually able to demonstrate why. Just talk about it.

    Oh and by the way, don't drink aspartame.. 'they say' it's bad for you.
    Just take my word for it.

    regards.

  9. #9
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    JavaScript is plain text, it can be seen by right clicking and viewing source, all someone needs to do is navigate to the file where the login details are held and they can just take it from the source code and use it, it doesn't require demonstration, you can do it yourself from within any web browser.

  10. #10
    SitePoint Enthusiast
    Join Date
    Feb 2009
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    By server-side, they mean use a language like PHP. PHP is hidden from the source code.

    Are you looking to have users login to access the sections you're trying to password protect?

  11. #11
    SitePoint Member
    Join Date
    Aug 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "JavaScript is plain text, it can be seen by right clicking and viewing source, all someone needs to do is navigate to the file where the login details are held and they can just take it from the source code and use it, it doesn't require demonstration, you can do it yourself from within any web browser."

    Ok so in the initial post is the source from that part of the page.
    Where does it show the specific location of the file where the login details are held.

  12. #12
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Presumably either in CSScriptLib.js (since that is the only JavaScript file mentioned) or in a different JavaScript file that is dynamically loaded by CSScriptLib.js. Either that or there is additional code in the page that you didn't post that either contains the code or a link to the JavaScript file that contains the code.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •