Password access to webpage

[Barney]

Hi,
I have a club website where I would like members only to be able to access
each others phone nos etc.

Is it possible to apply password access to a webpage created in FP 2003?

Thanks.
Barney.

 

[Tom Pepper Willett]

Password Protect Part of a Web:
http://support.microsoft.com/default.aspx?scid=kb;en-us;301554

--
===
Tom "Pepper" Willett
Microsoft MVP - FrontPage
---
About FrontPage 2003:
http://office.microsoft.com/home/office.aspx?assetid=FX01085802
How to ask a newsgroup question:
http://support.microsoft.com/kb/555375
===
| Hi,
| I have a club website where I would like members only to be able to access
| each others phone nos etc.
|
| Is it possible to apply password access to a webpage created in FP 2003?
|
| Thanks.
| Barney.
|
|

 

[Andrew Murray]

Try the methods listed here:

http://www.murraywebs.com/faq.asp?fpdbr_0_PagingMove=++|<++&ID=13

 

[Trevor L.]

What if your server does not have FP extensions nor support ASP or databases
?

I found some code somewhere which asks for the name of a folder and a file
within that folder (as username and password).
Both names are fairly obscure and hopefully not visible by normal means. If
they are entered correctly, then the named file within the named folder is
opened - this can be a link to the rest of the site if one wanted.

What do experts think of this method? It is on my site - click on "Password
test"

 

[Ronx]

It is a JavaScript attempt at security. Since the username and password are
displayed in the browser adress window, it is not secure. Also, the linked
page can be saved in Favourites, thus negating the security totally. Server
side security is always in place: even if the secured page is placed in
Favourites a valid logon will be required.

PS - Trevor - I have opened your secure page which contains the text
"You have entered the secure file" and a return button.
You will have to be more imaginative with the userid and password )

 

[Trevor L.]

Ronx,
Thanks for the feedback.

I thought that the username and password would only be displayed once you
cracked them, and that they were fairly obscure

The username (folder name) is
3 lower case letters
2 uppercase letters
2 lower case letters
2 numeric digits
1 lower case letter

The password(filename) is
2 lower case letters
1 uppercase letter
1 lower case letter
1 uppercase letter
3 numeric digits
1 underscore
2 lower case letters

Can you actually see the folder and filename when you open the site? If so,
where?

Yes, the linked page can be saved. It is not the filename with the obcsure
name - this file is only a link to the file opened, but of course once
opened it is clear what the filename is. I should make it a frame and then
the name shown will not be the frame name but the frameset name

Of course, I really don't care about secure pages. It is merely an
intellectual exercise.

Is the conclusion that *only* server-side security will work, and that any
passwords will always be available to the visitor ?

 

[Ronx]

Check your email for how I got in.

Comments Inline
--
Ron Symonds
Microsoft MVP (FrontPage)
Reply only to group - emails will be deleted unread.

Ronx,
Thanks for the feedback.

I thought that the username and password would only be displayed once you
cracked them, and that they were fairly obscure

True - they are obscure, and not easily guessed, and they only display when
"cracked"

The username (folder name) is
3 lower case letters
2 uppercase letters
2 lower case letters
2 numeric digits
1 lower case letter

The password(filename) is
2 lower case letters
1 uppercase letter
1 lower case letter
1 uppercase letter
3 numeric digits
1 underscore
2 lower case letters

Can you actually see the folder and filename when you open the site? If so,
where?

Not visible

Yes, the linked page can be saved. It is not the filename with the obcsure
name - this file is only a link to the file opened, but of course once
opened it is clear what the filename is. I should make it a frame and then
the name shown will not be the frame name but the frameset name

The secure page opens in your frameset. It can be saved, framed or not.

Of course, I really don't care about secure pages. It is merely an
intellectual exercise.

Is the conclusion that *only* server-side security will work, and that any
passwords will always be available to the visitor ?

JavaScript security can work - but I would not put too much private stuff
behind it. The userid and password, since they are alphanumeric + a few
other characters, can be cracked with persistence. On Windows servers, the
CaSe does not matter, roughly halving the number of characters that can be
used. Using Server Side security the number of available characters can be
increased considerably, possibly to 240 odd ASCII codes for each character -
the backspace, Delete and some control codes may be difficult to use. But
even that is crackable. The main disadvantages of JavaScript are that there
is one Userid/password for all users, it is displayed in the browser, and
the secure page itself has no security if it is stumbled on by accident.

 

[Brett...]

A few years ago, someone challenged the subscribers to this newsgroup to
"crack" a java-script password protected website.
To my knowledge it was never cracked.

Remember "secure" is a relative term - if you want to guarantee security,
don't put it on the web. It is a case of establishing HOW secure the data
you are trying to secure needs to be.

Do bear in mind that there are some useless java-script solutions out there.
I'd recommend Gatekeeper.