Quote:
Originally Posted by jcunning
The easiest way to do this is to have an opening page that presents a password text box and a button. The user then puts in the password and hits the okay button.
You run a javascript to check the password and either load the protected page, or throw up an error message saying to try again.
You also need to prevent the protected page from loading if someone is smart enough to put in the URL directly. Another javascript could handle this on the protected page. You will probably need a flag of some kind on the client side to see if they typed in the password or not.
There are other ways to do this as others may comment. This is just what came to my head first.
|
Never, EVER trust authentication or authorization on the client side. If you tried to protect a page as you just mentioned, I'd be into it in no time flat. By definition, you've allowed all the code to the client, and it can be read and reversed engineered, regardless of how obfuscated it is.
That's equivalent to locking your door but leaving the key under the mat.
Do the protection from the web server config files, where you can define the URLs/paths to protect, users, groups, and realms, utilizing simple/basic http password protection.
It's integrated in EVERY web browser, and automatically deals with the security tokens/cookies/etc. It can even handle browsers that don't have cookies enabled.
This can be done via an .htaccess file (as slodave says), assuming the "allowOverrides" option has been enabled.
It also depends on what web server you're running. (.htaccess is usually an Apache thing).
Figure out what web server you're running, and then Google for that server and "authentication", and you should be good to go.
$0.02
PS: I'm a technical architect specializing in internet security engineering, if that makes any difference.