1

What is the simplest way to make a page accessible by username/password? In school I learned to do this on the server side using sql and java. I'm wondering is there a way to do this only on the client side?

EDIT: lol... based on the responses, I probably should say why I specified client-side. I'm being asked to load an extra page into our company website that is supposed to aid some of our employees. I didn't design this extra page, and I was asked to put this up with a very simple log in. Granted I need to confirm with my superior that a client side login is ENOUGH, I just wanted to know if it could be done IF they decide that it's not all that important. The page itself won't have a link on the site, so unless someone knows it's there or decides to snoop, nobody will even know it's there.

Szuturon
  • 931
  • 4
  • 17
  • 28
  • 2
    If you're running apache you can use .htaccess and .htpasswd. – j08691 Aug 09 '12 at 18:53
  • 1
    And basic auth in IIS. Don't try doing it client side, it won't be secure. – Brian Aug 09 '12 at 18:53
  • 2
    Client side doesn't make sense really as it's easily "hackable". Ofcourse you can create an "isAuthenticated" variable in Javascript and pass it from page to page and check it wither isAuthenticated == true but then you have to access the Server to get the User/Passwrod info anyway so whats the point ? – InspiredBy Aug 09 '12 at 18:54
  • check out my edit. I think I have a way you could do it, depending on what your needs are. – Phillip Schmidt Aug 09 '12 at 19:06
  • Use dynamic web project and put the inaccessible under WEB-INF – URL87 Aug 09 '12 at 19:30
  • @Szuturon Do you want to tell me the URL? I'm good people. I'm joking :P .. "nobody will even know it's there" except robots. **If you can do better, why don't? Do it.** – Lucio Aug 09 '12 at 19:34
  • Even if there is no link to the page, it could still be picked up by a search engine unless you have robots.txt, which if I am correct, doesn't necessarily have to be obeyed. If you want to be secure you have to use .htaccess – Greg Rozmarynowycz Aug 09 '12 at 22:24
  • Don't forget to accept some answer by clicking the tick on the left ;-) – Draex_ Aug 11 '12 at 15:03

6 Answers6

2

You can save your page into a directory protected by .htaccess file.

That would be server side (you have to upload a .htaccess file into the directory).

But client side? Hmmmm the only thing I imagine is to create a DIV with position: fixed that would be over all your page content.

Ask for a user and a password, then check them using Javascript (this is client side), then you add property "display: none" to the DIV that is containing the login view.

That would hide the login view and show the page that is below it.

This is a HUGE security problem in my opinion. I could easily edit your web with Firebug and add Display: none to the div without entering a password.

However, as the password IS in the Javascript I could look at it anyway just viewing the source code.

JorgeeFG
  • 5,651
  • 12
  • 59
  • 92
1

Well you could try a basic JavaScript dummy with HTML inputs that would somehow offer the slight illusion of password protection. Otherwise, create an HTML form and go with PHP Sessions. These are probably the languages with the most tutorials around so it wouldn't take you that long to pull it off.

1

You cannot do this securely only on the client side, it would require you to perform authentication of the user inside the browser. This means your whole userbase would have to be loaded in the browser memory in some form, likely in javascript which makes it unsafe.

For a simple authentication mechanism which involves the server to a minimal extent look at Basic Authentication.

driangle
  • 11,601
  • 5
  • 47
  • 54
1

The easiest is probably server side apache authentication. Use these two generators for that: http://www.htaccesstools.com/htaccess-authentication/
http://www.htaccesstools.com/htpasswd-generator/

Just on the client side, using javascript it's never secure enough. But there is way:

if( ​prompt('Enter password'​)​ == 'password' )
{
    // we are okay
}

else
{
    // password is wrong
}​

For more robust example, with username see http://jsfiddle.net/7mZYQ/2/

Draex_
  • 3,011
  • 4
  • 32
  • 50
  • Thanks! I may actually go with the htaccess/htpasswd way. Didn't know about these... was never taught it. Seems simple enough. – Szuturon Aug 09 '12 at 20:39
  • Any chance you can help me out with this? http://stackoverflow.com/questions/11905751/how-to-set-up-htaccess-and-htpasswd-in-my-private-server – Szuturon Aug 10 '12 at 16:52
0

No, it cannot be done on the client side. At least not in a secure manner. Client side (password ) validation is very easy to bypass, because clues (such as the password and/or the content you want to show when the correct password is entered) are given to the user.

Arjan
  • 9,784
  • 1
  • 31
  • 41
0

If you think about what "client-side" means, you'll understand why it wouldn't be possible. On the client side, all information is processed and all data is stored on the client's machine. Thus, in order to check passwords totally on the client side, you'd have to have the entire list of usernames passwords saved to every single computer that your site interacts with.

Keep in mind, also, that anything "client side" is inherently less secure than it would be server-side. So even if you could do this, it'd probably be a bad idea.

Now, that being said, here's how you could do it:

Come up with a password (note that you'll have to use a master password, not individual ones), hash the password, and store the hashed password in a variable, or something. It may sound insecure, but if you're hashing the pw, you could send everyone a personalized email with the password and it wouldn't make it any easier to hack. Hashing is a one-way operation. There is no way to reverse engineer it. Do make sure to make your stored password a constant, though, or someone could just change the value of their hashed password last minute to match your stored one. Give the css rule Display:none; to your data with css so that it hides. Now prompt the user for a password. Then, take that password and run it through the same encryption as you did when you created the password. If that value and the one you stored match, bingo. Just revert your display:none; and you're good to go.

Though I guess that still leaves the problem of somebody just firebugging your display:none away. Guess you'd have to encrypt the data on the page too.

Phillip Schmidt
  • 8,805
  • 3
  • 43
  • 67
  • Thanks for this. Further discussion has been had and it seems that it was the whole sql part that they didn't want on the server. Going to try the above htaccess/htpasswd method first. – Szuturon Aug 09 '12 at 20:41
  • @Szuturon yeah, that's probably your best bet in that case. – Phillip Schmidt Aug 09 '12 at 20:43
  • Any chance you can help me out with this? http://stackoverflow.com/questions/11905751/how-to-set-up-htaccess-and-htpasswd-in-my-private-server – Szuturon Aug 10 '12 at 16:52
  • @Szuturon maybe. I don't have a whole lot of experience with that, but I commented on the question. let me know how it works – Phillip Schmidt Aug 10 '12 at 17:09