noscript... security problem!

[Krack-Nob]

First off all, srry for my poor english and for being such a n00b im a learner of both, english and scripting...
Ok, so im hosting a website with a Xat.com´s chatbox on it... i know that those things are not secure chat at all cuz they can be accesed from the main Xat.com site... anyway, i need my webpage (which isnt much, jst a couple of imgs and the embed chat) to be protected against anybody that doesnt know the password for it.
I like to keep it simple because is not a big deal so i tryed a really siple javascript for the password:

Code: Select all

<!--//
var x = prompt("Password","")
if(x == "the pass"){
   alert("wellcome");}
   else{
      alert("WEB PAGE DOES NOT EXIST!");
      window.location = "http://www.google.com"}
-->//

that script goes inside the header tags, the problem is that anyone could acces that site jst by disableing the javascript. im not trying to defend this site from hackers, i just want a nice method to keep not authorized normal people out of it...
im not sure if i explained my self ...

[Goatboy]

First off, your English is not that bad. What is your first language?

Anyways, the terms you are looking for here are "server-side scripting" and "client-side scripting". Client-side refers to what you are doing right now. Javascript is sent to the user, and their browser executes it. Since the code itself resides on their computer, they can do whatever they want with it. Server-side, on the other hand, refers to code that resides on your server, such as PHP or ASP. The code executes on your server, and only sends what you want it to. For example, the code could generate a random string of words, and only send that to the user. The actual code is hidden.

As a general rule, you want to use server-side for anything you want to protect. Client-side is better for error-checking (making sure a form field has the right entries), styling (animation and sound), and generating alerts.

[kujinR]

the problem is that anyone could acces that site jst by disableing the javascript.

Not only that, People can just view the source and actually see the password. You remind me of Faith.

As Goatboy said, you're looking for server side scripting. Try PHP, you might like it. It's not at all that hard to learn it. Some good tutorials for it are found here and here.

[beluluk]

Sorry for bragging in out of nowhere. Related to security (which i think is still in this topic), i've been searching around for using username and password authentification like the one on phpmyadmin. Could someone enlighten me about what is that? is that apache, or HTML? i bet it's HTML, but i found no clue.

Additionally, could i please request the "Latest forum posts" on HTS homepage to have more lines? Guess that would help people to be more active on the forums.

I hope my english is not too bad.

-- Fri Nov 12, 2010 7:02 pm --

To Krack-Nob
And if i may add the answers above, If you don't want a page reload, you could use ajax which combines clientside (a.k.a javascript), serverside (PHP for example) and XML (i usually throw away this part). You could ask google about ajax and search for a lightweight ones, or just go to jquery.com and read about its ajax methods.

[Krack-Nob]

Not only that, People can just view the source and actually see the password. You remind me of Faith.

As Goatboy said, you're looking for server side scripting. Try PHP, you might like it. It's not at all that hard to learn it. Some good tutorials for it are found here and here.

yeah the javascript missions were really easy ... but you cant access the source code with out the password cuz im using the prompt tag that opens at pageload... I was thinkin to send the user to another site like google if they enter a wrong password or if they dont have javascript enabled but I cant figuere out how to do the last? do i really have to go with the PHP codes??...

beluluk: phpMyAdmin is written in PHP intended to handle the administration of MySQL. Explains it right here ...

Goatboy: my first lenguage is spnish.

[tremor77]

There are a few ways you could use javascript purely in a "semi"-effective way to password protect your pages...

1 way would be to use the password=pagename method where the password is actually the pagename... for example the page is "mysecretprotectedpage.html" and the password is "mysecretprotectedpage" - the script looks at what is input as the password.. tacks on the .html and attempts to load that page... this is not the best method in the world considering your page might get indexed by a search engine at some point though...

another way would be to encrypt your password... as I did on this pure Javascript mission that I wrote http://mvel.org/TreMission1/ - afaik only one person has beaten it so far... I basically used an existing cut and paste javascript password script that is available here: http://www.javascriptkit.com/epassword/index.htm

depending on your web host you would be better of using php or asp though.. or even .htaccess - as ultimately, any hacker worth 2 cents can break most anything that's purely javascript.

[Krack-Nob]

ok that would do... tnx

[beluluk]

i've seen the script. In my opinion, cracking it would be more of decrypting than of javascript trick.

-- Mon Nov 15, 2010 6:24 pm --

I guess, i need to add: Nice script... I don't think any 2 cents hacker you mentioned above could hack it easily... I think i will take up the chalenge. So that i could raise my price up to 3 cents

[tremor77]

i've seen the script. In my opinion, cracking it would be more of decrypting than of javascript trick.

-- Mon Nov 15, 2010 6:24 pm --

I guess, i need to add: Nice script... I don't think any 2 cents hacker you mentioned above could hack it easily... I think i will take up the chalenge. So that i could raise my price up to 3 cents

Ya it is more of a decrypt challenge once you get past the couple idiot tests in place.

[Defective Flamesuit]

May I recommend .htaccesss instead of PHP or JavaScript? Google ".htaccess"; it seems perfect for what you want to do and simpler than writing an encryption / decryption script as others have mentioned. Of course, using PHP is also pretty easy here, but if you have never used PHP before you might find using a .htaccess file easier.