Re: Newbie Question: Password protect a webpage

From: Ryan Stewart (zzanNOtozz_at_gSPAMo.com)
Date: 10/23/04 

Date: Sat, 23 Oct 2004 07:40:07 -0500

"Paige Miller" <pmiller5NOSPAM@rochester.rr.com> wrote in message
news:w1sed.18698$JS4.11772@twister.nyroc.rr.com...
> I'm trying to come up with a very low-security password protected
> web-page. I have found some short java code on the internet at
> http://www.dynamicdrive.com/dynamicindex9/password.htm that will do what
> I want, if only I could figure out one little thing.
>
> On the gateway page, you place a javascript which asks for the password,
> and then only if the proper password is provided do you allow access to
> the next page. Great. Exactly what I want.
>
> What I can't figure out is this: let's say the password protected page
> is named http://somewhere.com/abraham.html. How do I stop people from
> noticing that name, after the first time they correctly supply the
> password, from going directly to that page (bypassing the need to supply
> the password). If someone makes this page a Favorite, it appears they
> can go directly to this page, not what I want. How do I fix this?
>
> Thanks!
>
You check for the password in the page you want to protect, and you don't
rely on JavaScript to do it. The algorithm on that page you gave is only
slightly harder than plaintext to crack. You have a login page that checks
login credentials serverside, and then store the user id (or better yet,
User object) in the session:
    session.setAttribute("currentUser", user);

Then wherever you need to validate a user (assuming you put a User object in
the session):
    User user = (User) session.getAttribute("currentUser");
    if (user == null) {
        // Go back to login page
    }

You also have the option of allowing certain users more access:
    if (user.isAdmin()) {
        // Let them in the admin section
    } else {
        // Back to login or some error page
    }

For a simpler model, just put the user id in the session and get it out:
    String user = (String) session.getAttribute("currentUser");
    if (user == null) {
        // Go back to login page
    }

Relevant Pages

  • Re: how to delete a file that is related to the session object
    ... i have a static object which is created each time the session start: ... this user object is reffered to in my code this way: ... if the application's user closes the window, ... session ends, the garbage collector doesn't always work at that instance. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: [PHP] Saving css state in javascript and passing to php via form submit
    ... to php via form submit ... Now i'm also using javascript to hide show blocks of divs ... Ok, i can put the data in the session variable, but i can ... Maybe you could also use AJAX instead of submitting forms the ...
    (php.general)
  • Re: Business Objects and Session Variables
    ... implementations of patterns here. ... A factory method is one that returns an object to ... each derived from a base user object). ... you can either pull from session or rebuild from the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: browser.history and log file
    ... >> webserver and want to know from where users are coming from. ... >> Understand I want the last surfer's browser visited url. ... > First you need to set up a little JavaScript to get the variable of the URL ... you could also combine the 2 solution, i.e. use session if a previous ...
    (comp.lang.php)
  • Re: Windows app or ASP.NET ?
    ... session, web security (although several years ago I worked with web project ... using Javascript and HTML). ... through understanding of Javascript, CSS, HTMl, XHTML, sessions, ...
    (microsoft.public.dotnet.languages.csharp)