next »

[baton1]

I am working on new page on the same template as i have now on http://mandrivanainfe.110mb.com/ It's written in pure xhtml without any php, and don't want to use mysql and have any database. But on the new site i would need to have some pages protected...
Is there any good way to do that? The only thing i found was sth like that:

Code:

<form action="?" onsubmit="window.location.href = this.password.value + '.html'; return false">
<input type="password" name="password" />
<input type="submit" value="OK" />
</form>

Can you advise me anything? Is this a hard-breaking protection? And if I shall use that one, is there possibility to make this code with 2 fields (to look like login and password)? And at last can it have any password error page (not 404 error) for bad passwords)?

I would be grateful for any advise, because i spent a few days looking in net without nothing concrete, and the deadline for starting this new page is cooming up soon.

[pokeglobal]

Errr...is it even possible to do that without making it ridiculously easy to break? Err...without a database and a way to call the server, where are you gonna put the stored passwords? Are you gonna make the submit page go to a particular page based upon what the password is in? I'm not overfamiliar with this, but it seems quite insecure to me.

[baton1]

I just need some easy way to protect pages. There will be no harmful stuff, and if somebody would really want to break it there would bo no losses. I just don't want to any random man can access to some pages. The thing that matter at this time is to add it to the site quick and easy. I don't want million of new pages to have a password.

Maybe sometime later i will do that with some more sophisticated method....

I just want to know is this good what i found? Or is there any easier way?

[general vegitable]

i think that you can do it with .htaccess

[manicgames]

Which, by the way costs money.

[TDSii]

why not php? doesn't xhtml support php embeded?

[general vegitable]

i think that it does have an include function, probably nothing like the php one

[baton1]

I'm looking for some solution which wouldn;t cost me any money. I wrote about no use of php because i know nearly nothing about it, so if there is any very better way in php way I would need exact description of how it should looks like.

[Busman]

I don't want million of new pages to have a password.

.. which presumably also means you don't want to have to rename the said 'millions of pages'.

If you use a PHP solution, those pages will need a .php extension.

[adversus]

Unless he buys .htaccess :p

without using sql: maybe use php with a normal file containing the usernames and passwords, instead of storing them in a database. To avoid having to rename the html pages (without buying .htaccess) a php file has to be included in some way..

[bind]

the question I have is, that if security isnt important if someone does get through, why have it in the first place

Unless you are using .htaccess/HTTP_AUTH or php, and considering you dont want to act like a webmaster and structure your site and page extensions to be able to correctly and securely limit access, its totally a waste of time, as is this thread in attempting to explain it to you with your "but i dont wanna's".

You either want it secure or not.

Its apparent you dont want to do what is needed for it to be secure, so again, why have it at all

just delete it and let people access your pages as its no real security at all, and by your own words, it doesnt matter if they get in or not.

Excersizes like this just dumbs down a programming and anyone attempting to learn it, giving them a false sense of security by novice crap code like that gatekeeper.

That said the gatekeeper javascript should work fine ...  until someone distributes your protected page names, they guess the page names, or they get indexed by search engines, enabling them to be directly accessed regardless of the gatekeeper script.

other than .htaccess/HTTP_AUTH or PHP, theres no other (semi) secure way.

Now of course if you want to give the fake appearance of security without actually taking the time to learn and impliment secure strategies, then your on the right path

[Primefalcon]

why not php? doesn't xhtml support php embeded?

you have it the wrong way around, php generates the xhtml/html/css content, php in an embedded language as you say, but the server internprets it before even sending it. so you can use php to generate xhtml/html/css/xml/javascript/plaintext or whatever else you want

if you want basic password control try this, remember this is only a basic script

Code:

<?php
session_name("WebsiteID");
session_start();
$base_url = "http://yoursite.110mb.com"; //enter your site's base url here
$this_file = $_SERVER['PHP_SELF'];
$this_url = $_SERVER['REQUEST_URI'];
$root_location = $_SERVER['DOCUMENT_ROOT'];
$root_location = "$root_location";
$users_ip_address = $_SERVER['REMOTE_ADDR'];


$site_mode = "1";

if($site_mode == "1" OR $page_mode == "1")
{
$security_mode = "1";
}
else
{
$security_mode = "0";
}


if(isset($_GET['logout']))
{
session_destroy();
setcookie("PHPSESSID"," ",time()-3600);
header("Location: $base_url");
exit();
}

if($_SESSION['logged_on'] == "yes" AND $_SESSION['user_check'] != md5($_SERVER['HTTP_USER_AGENT']))
{

session_destroy();
setcookie("PHPSESSID"," ",time()-3600);
sleep(5);
header("location: $base_url");
}

if(!isset($_SESSION['form_submitted_token']))
{
$_SESSION['form_submitted_token'] = "none_submitted";
}

if($_POST['form_submitted'] == "yes")
{
$username = htmlentities($_POST['username']);
$password = md5(htmlentities($_POST['password']));
$submitted_token = $_POST['form_submitted_token'];
$session_token = $_SESSION['submitted_token'];

if($submitted_token != $session_token)
{
session_destroy();
setcookie("PHPSESSID"," ",time()-3600);
sleep(5);
exit("Login process failed, Please try again");
}

$this_file = $_SERVER['PHP_SELF'];
if($username == "your user" && $password == "yuor md5 generated password")
{
session_regenerate_id();
$_SESSION['logged_on'] = "yes";
$_SESSION['username'] = "$username";
$_SESSION['user_check'] = md5($_SERVER['HTTP_USER_AGENT']);
}


else
{
session_destroy();
setcookie("PHPSESSID"," ",time()-3600);
sleep(5);
exit("Login process failed, Please try again");
}
}

if($_SESSION['logged_on'] != "yes" AND $security_mode == "1")
{

$form_token = md5(uniqid(rand(), true));
$_SESSION['submitted_token'] = $form_token;
echo <<<ENDECHO
<html><head><title>GNU Login</title>
</head><body bgcolor="#000000">
<center><font color="#24FF10">
<br />This area is is not open to the public,<br />if you have been authorised to view this site,<br />please enter your username and password below, Thank you<br /><br />
</font></center>
<center><table border="3" bordercolor="#79FF5E"><tr><td bgcolor="#9EFF15">
<center><form action="$this_url" method="post">
username<br />
<input type="text" name="username" />
<br /><br />
password<br />
<input type="password" name="password" /><br />
<input type="hidden" name="form_submitted" value="yes" />
<input type="hidden" name="form_submitted_token" value="$form_token" />
<input type="submit" name="Login" value="Go on, try and login" />
</form></center>

</td></tr></table></center>
</body>
</html>
ENDECHO;
exit();
}


?>

and here's a tool to encrypt your password in a simple md5 hash
http://www.allhype.co.uk/tools/md5/

as I said it is a basic tool as you be better off throwing a salt into the mix but it should serve what you want as it does have very basic protection.

Just oput it your user and hashed password and you'll be fine, then just include this scrpt via

Code:

<?php
include("/control_script.php")
?>

[bind]

nice scipt but 2 things ....

1. login name shouldnt be case sensitive:

you can make login name case-insensitive by changing this line:

Code:

if($username == "your user" && $password == "yuor md5 generated password")

to:

Code:

if((strcasecmp($username,"your user") == 0) && ($password == "yuor md5 generated password"))

and 2:

the OP obviously doesnt want to be a webmaster and edit every file and extension.

but thats a nice script ... thanks for sharing it.

[Primefalcon]

Your welcome I wrote it up just as a basic protection for developments that were in design, as such it was meant for pages that didn't have links to them... which is the reason the I didn't bother making the user case-insensitive. I wrote this as a quick easy script, it wasn't meant as a heavy duty script, otherwise I would of used a salted md5 and other measures.

But without using something like this, his only other options are .htaccess (which is a bit unwieldy for file level stuff), the other option is JavaScript, but you could break that just by viewing the source, so you can't really class JavaScript as a viable option. So whether he likes it or not he'll have to really PHP here. Whether you need MYSQL is a matter of whether you need to database a large amount of separate users or not.

You do have other options, but not without having more control than 110mb or most hosts gives you.

[bind]

i couldnt agree more.

the OP shouldnt have a login script at all if he doesnt want to make is at least semi-secure.

eh but its his/her site .. they can do what they want.

ps- i agree about the salted hashes too .... its much harder to brute force

Code:

<?php
$_COOKIE['var'] = md5("-thIs_1-is_a_salted-HAsH_4-noObz-2_try-2_CRaCk---".$username);
?>

than it would be to try and crack:

Code:

<?php
$_COOKIE['var'] = md5($username);
?>

with rainbow tables the latter would probably be cracked in a matter of seconds or minutes if $username was something simple and short, like "fred" or bob".

[Primefalcon]

the sleep function also helps combat brute forcing immensely and makes it a lot harder, if I had planned to make this an open script and checked a lot of users then I would have it salted by default anyhow or maybe even switch it over the latest sha (a stronger type of hash, the md5 has actually been compromised by 1 known government) hash.

I just checked 110mb and they support the following hashes

md4 md5 sha1 sha256 sha384 sha512 ripemd128 ripemd160 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru gost adler32 crc32 crc32b haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5

So I'd prob recommend a salted sha512 (which uses the triple des method), that is until the sha 3 family get released which btw is in development atm

[Primefalcon]

BTW I just wish to point out one error in your logic Bind, hashing passwords will not protect from brute forcing in any way whatsoever, thats why the sleep function is in there. to inhibit that

The hashing of passwords and storing the password as such in the database hashed simply protect them from being readable by anyone who gains access to the hashed password. otherwise they are stored as plain text

So your logic about hashing protecting against brute forcing is false....

[advanced-scape]

hmm so primefalcon

all i do is create a new page called eg. testlogin.php

then i paste that code in it ? so i put mine as: http://www.advanced-scape.110mb.com/testlogin.php

were do i put the second little thing:

Code:

<?php
include("/control_script.php")
?>

thanks

[Primefalcon]

well you upload the control_script.php into your server.

and then in the inlclude bit

Code:

<?php
include("path/to/file/");
?>

the only bits you need to change is to set the base url how I mentioned, and also to set your username and password how I said.

that's it

[bind]

BTW I just wish to point out one error in your logic Bind, hashing passwords will not protect from brute forcing in any way whatsoever, thats why the sleep function is in there. to inhibit that

The hashing of passwords and storing the password as such in the database hashed simply protect them from being readable by anyone who gains access to the hashed password. otherwise they are stored as plain text

So your logic about hashing protecting against brute forcing is false....

where did I state anything about hashing or brute forcing passwords in this thread ?

nowhere.

since that's settled, , hashes are used for considerably more than password hashing (like in the cookie example I have shown), but as you state, in the case of someone on a shared server or nosy data center admin starts viewing your database hashes, the seeded hashes indeed will exponentially increase the time and difficulty brute forcing them, and cracking them takes so long, they end up giving up because no rainbow tables will ever have that value, so its secure.

As an exercise, I just (2 hours ago) used rainbow tables to crack the hash for an 8 letter/number password and it took 2 minutes an 38 seconds ... Then I added a 64 charactor salt to the hash and its been running for 2 hours and still hasnt been cracked. I wil lleave it running and see how long it takes, if ever, to crack. I'll post later about it if it gets cracked.

my logic is perfectly accurate.