Web developers - what's the easiest way to password protect a page?

[JeremyD]

I have been creating and maintaining our company website - just one of the hats I wear.

One of the pages I want to set up with profiles of candidates (with a short video) that I want our client (only) to access - is there a way to password protect this page? I know I can create it blind - and that someone would have to have the exact address to access - bt I'd prefer to password protect it.

I've been using Front page -= also have MS expression loaded - but not that easy to use. help or direction would be appreciated

[jcunning]

The easiest way to do this is to have an opening page that presents a password text box and a button. The user then puts in the password and hits the okay button.

You run a javascript to check the password and either load the protected page, or throw up an error message saying to try again.

You also need to prevent the protected page from loading if someone is smart enough to put in the URL directly. Another javascript could handle this on the protected page. You will probably need a flag of some kind on the client side to see if they typed in the password or not.

There are other ways to do this as others may comment. This is just what came to my head first.

[slodave]

See if your host supports htaccess files.

http://www.sitedeveloper.ws/tutorials/htaccess.htm

[einreb]

super simple version...

header on all 'secure pages to check if a cookie = 'logged in'
if not, redirect to login form
login form goes to page that check to see if the form entries = some hard coded values
if the equal, then set the cookie to 'logged in' and redirect to secured page
if not equal then redirect back to the login form.

[gwood]

Expression Web will have a login control to put on your opening page and a preconfigured membership database. Search the help files for "membership."

[jeffgrant]

Quote:

Originally Posted by jcunning

The easiest way to do this is to have an opening page that presents a password text box and a button. The user then puts in the password and hits the okay button.

You run a javascript to check the password and either load the protected page, or throw up an error message saying to try again.

You also need to prevent the protected page from loading if someone is smart enough to put in the URL directly. Another javascript could handle this on the protected page. You will probably need a flag of some kind on the client side to see if they typed in the password or not.

There are other ways to do this as others may comment. This is just what came to my head first.

Never, EVER trust authentication or authorization on the client side. If you tried to protect a page as you just mentioned, I'd be into it in no time flat. By definition, you've allowed all the code to the client, and it can be read and reversed engineered, regardless of how obfuscated it is.

That's equivalent to locking your door but leaving the key under the mat.


Do the protection from the web server config files, where you can define the URLs/paths to protect, users, groups, and realms, utilizing simple/basic http password protection.

It's integrated in EVERY web browser, and automatically deals with the security tokens/cookies/etc. It can even handle browsers that don't have cookies enabled.

This can be done via an .htaccess file (as slodave says), assuming the "allowOverrides" option has been enabled.

It also depends on what web server you're running. (.htaccess is usually an Apache thing).


Figure out what web server you're running, and then Google for that server and "authentication", and you should be good to go.


$0.02


PS: I'm a technical architect specializing in internet security engineering, if that makes any difference.

[jeffgrant]

I should also mention that the method I've described allows you to protect other non-web-page content as well, such as graphics, downloadable assets (pdf files, movies, etc).

[campbellcj]

If you are using IIS (Windows) for the web server, you can simply turn off anonymous access for a site or folder. Then any user will need to input a regular Windows ID and password to login -- this means you have to have a way to set up accounts for your users as well as have enough licenses (CALS) for them. It really depends on your exact needs and environment as there are lots of options -- although some require coding or installation of additional code to implement.

[JeremyD]

Thanks for the input - I'll check these out - this really helps give me some direction

[einreb]

Quote:

Originally Posted by jeffgrant

Never, EVER trust authentication or authorization on the client side. If you tried to protect a page as you just mentioned, I'd be into it in no time flat. By definition, you've allowed all the code to the client, and it can be read and reversed engineered, regardless of how obfuscated it is.

I was assuming (my fault) PHP or ASP server side script for that 'solution'.

He asked for something simple, that's a simple solution that requires a bit of coding.

If it allows htaccess files, go that direction. if its an iis machine (some IIS hosts also allow htaccess), here's some code to use the web.config method...

http://support.netfirms.com/idx.php/73/786/article/How-do-I-passwordprotect-a-web-page-using-ASPNET.html

[jeffgrant]

Quote:

Originally Posted by einreb

I was assuming (my fault) PHP or ASP server side script for that 'solution'.

He asked for something simple, that's a simple solution that requires a bit of coding.

If it allows htaccess files, go that direction. if its an iis machine (some IIS hosts also allow htaccess), here's some code to use the web.config method...

http://support.netfirms.com/idx.php/73/786/article/How-do-I-passwordprotect-a-web-page-using-ASPNET.html

Ahh... my bad. I never really consider Javascript as a server-side solution, only client side.