|
|
 |
 |
|
 |
 |
Just lurking around? Why not join in? You could win free games just by chatting. Choose your Nickname in MyFreeola or Sign Up Here.
|
 |
|
Regular
on 15/08/2009 at 12:57:50PM
Total Posts: 2 |
hi all
is it posible to make a page available to members only,ie password protected
|
|
|
|
|
|
|
|
Warhunt
"Life int a DPS race"
Staff Moderator
Send a message
on 15/08/2009 at 1:25:33PM
Total Posts: 1481
|
|
Welcome to the forums!
I can see you are using a Freeola InstantPro site. I believe there is a decent thread about this already on here, i'll pop and find it in a tick if i can.
Short answer is "not really". You can't password protect certain pages of your site on the InstantPro Builder.
You may have noticed though, that you can set a page live to make it display online.....however you can also choose whether to have this display in the navigation menu on the site or not.
By removing the option to have it linked on the nav menu, you make it "private" of a sort. Meaning only those who know the apge link would be able to visit it. Did this on mine, but its not a foolproof method (SE's etc still find it)
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 15/08/2009 at 4:03:30PM
Total Posts: 1691
|
jj2 wrote:
> hi all
> is it posible to make a page available to members only,ie
> password protected
If I've understood things correctly Freeola are currently working on a JavaScript plugin.
This would then allow you to control password protected areas - not as robust as .htaccess/.htpasswd but could work for you.
Hmmm... My Freeola Instant Site |
|
|
|
Eccles
"Aargh! Broken..."
Staff Moderator
Send a message
on 15/08/2009 at 6:56:19PM
Total Posts: 702
|
|
I'm not sure how Javascript could provide password protected areas. It a client side scripting language that can easily be turned off by the user, bypassing any restrictions it controls.
Page protection/user control is coming but there is no time scale yet.
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 15/08/2009 at 7:33:50PM
Edited: 15/8/09 19:39 Total Posts: 1691
|
Eccles wrote:
> I'm not sure how Javascript could provide password protected
> areas. It a client side scripting language that can easily be
> turned off by the user, bypassing any restrictions it controls.
> Page protection/user control is coming but there is no time
> scale yet.
As I said it isn't as robust as .htaccess; but there are a few Javascript's that will stop most surfers!
But if you are implementing improvements helping the OP then that also sounds promising!
EDIT: Or I could have just said you have to switch to a normally hosted site then you have lots of options! :¬P
Hmmm... My Freeola Instant Site |
|
|
|
LukeM
"Imperfection"
Staff
on 20/08/2009 at 10:24:52AM
Total Posts: 70
|
|
Ergghhhh, JavaScript is not secure.
First rule of client side coding: Do not trust the client side.
Hopefully Eccles can implement password protection by the time of our next release, woop woop!
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 20/08/2009 at 12:10:20PM
Total Posts: 1691
|
As I said it isn't very robust but is an option when .htaccess isn't available.
Unless you are storing MI5 secrets then you can project a 'members' page by using JavaScript!
Still don't believe me!
A quick Google found a decent looking script.
I've cobbled together a demo for you to crack:
JavaScript Password Challenge!
As you will see I've only added one user: 'Freeola'.
I've put a word on the projected page - just tell me what it is!
FAO staffies:
I know you've got access but NO cheating by FTPing to my webspace and looking for files! :¬P
Hmmm... My Freeola Instant Site |
|
|
|
Warhunt
"Life int a DPS race"
Staff Moderator
Send a message
on 20/08/2009 at 12:52:48PM
Total Posts: 1481
|
|
Ha ha if anyone has time to do this rather than work, I think they need to be scalped :D
Expect an answer soon anyway though, if it's possible. Always the way with IT people (or people who think they know everything anyway), once a chellenge is set.........haha
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 20/08/2009 at 12:59:45PM
Total Posts: 1691
|
Freeola, remember no 'reverse engineering' by looking at my files!!!
Perhaps I should have put the demo with another host!
As long as you can explain how you cracked things I'll be happy...
Hmmm... My Freeola Instant Site |
|
|
|
Warhunt
"Life int a DPS race"
Staff Moderator
Send a message
on 20/08/2009 at 1:09:22PM
Edited: 20/8/09 13:13 Total Posts: 1481
|
|
So basically even if someone in the office (not myself 'cos to be honest got no time for it, and probably couldn't anyway) you'll claim they cheated? :D He he, I know I would.
Still interesting debate though. I'll check back in a bit to see if anyone has managed it :D
|
|
|
|
LukeM
"Imperfection"
Staff
on 20/08/2009 at 1:10:28PM
Total Posts: 70
|
|
Just so you know Hmmm, nothing on the FTP will be different from viewing source in my Internet browser since your security solution you have chosen is in JavaScript which is completely client side coded and therefore available within a client browser.
Since your functions are all client side (presuming this is only a JS password login) then they will be reverse engineer-able.
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 20/08/2009 at 1:13:50PM
Total Posts: 1691
|
Just so you know LukeM, I meant no 'peeping' at the files on my web space to see where the members page is.
I can 'see' a Freeola staffie has already looked at the members page!!! :¬P
Hmmm... My Freeola Instant Site |
|
|
|
ButchML
"AYBABTU"
Staff Moderator
Send a message
on 20/08/2009 at 1:27:43PM
Edited: 20/8/09 13:28 Total Posts: 861
|
|
Hmmm... wrote:
> I can 'see' a Freeola staffie has already looked at the members
> page!!! :¬P
That would be me, as I have nowhere near enough knowledge to crack this, I was 'reverse-engineering' a solution. LukeM knows nothing of what I discovered however :)
|
|
|
|
LukeM
"Imperfection"
Staff
on 20/08/2009 at 1:28:32PM
Total Posts: 70
|
|
Lol, I do realise, however if I were to attempt to crack this, the only valid way would be to tell you the password, not to look at the page.
Damn ButchML for peeping! But anyways, this challenge is open until the password has been revealed by the cracker in my eyes.
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 20/08/2009 at 1:37:14PM
Total Posts: 1691
|
ButchML wrote:
> That would be me...
lol - you guys! I specifically said NO CHEATING! :¬)
I think I've sort of proved my point that you can use JavaScript to 'protect' a members page. No it isn't robust but a half decent script seems to be able to keep most surfers out!
Warhunt seems to think I'm wasting my time (I am!) but thought the effort was worth it to reply to Eccles & LukeM's earlier posts.
I can see some of Freeola's biggest brains (not just staffies) have had a go ;¬)
So IMO if this page is safe guarding the local WI's recipes it would do...
Hmmm... My Freeola Instant Site |
|
|
|
Warhunt
"Life int a DPS race"
Staff Moderator
Send a message
on 20/08/2009 at 1:55:27PM
Edited: 20/8/09 14:14 Total Posts: 1481
|
|
Hmmm... wrote.....
> Warhunt seems to think I'm wasting my time (I am!) but thought
> the effort was worth it to reply to Eccles & LukeM's earlier
> posts.
Haha always me ain't it? No matter how nice i try to be :( LOL
No idea what I said to make you see "I think you are wasting your time" but ...meh....not important. :D
I actually thought it was fun. But I didn't have the time to look into it myself, as I'm busy. (Plus I wouldn't have been able to do anything anyway)
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 20/08/2009 at 2:03:06PM
Edited: 20/8/09 14:05 Total Posts: 1691
|
Don't be so touchy! :¬)
Ha ha if anyone has time to do this rather than work, I think they need to be scalped :D -
that was what I meant about me 'wasting my time' - and I'm in agreement with you!
EDIT: I think I've read you all wrong!
were you referring to people trying the challenge? I thought you meant it was me that should be 'scalped'! :¬P
This all goes back to my InstantPro Javascript/Adsense post - I just mentioned (picking on Eccles not you!) that this was another thing to look forward to when the InstantPro JavaScript plugin is available.
Hmmm... My Freeola Instant Site |
|
|
|
Warhunt
"Life int a DPS race"
Staff Moderator
Send a message
on 20/08/2009 at 2:13:41PM
Total Posts: 1481
|
|
Haha yeah I meant our staff. Mainly a dig seen as I'm so busy lol :D
And my other post was meant light hearted too, haha, maybe I just shouldn't post :D Bah humbug and all that :P
I think LukeM was fairly close by the way. He was making all the right noises :D
|
|
|
|
LukeM
"Imperfection"
Staff
on 20/08/2009 at 3:14:50PM
Total Posts: 70
|
|
I was not making any noises Warhunt!! :S lol
Well I'm meant to be working anyways, stop trying to distract me Hmmm! The hashing function in JavaScript is mighty, I think the only way to reverse it, would not to reverse it and brute force it instead.
I'll try it when I get home from work :D I love the challenge Hmmm, a colleague suggested a "challenge Hmmm" forum!
Oh I need a scalping :'(
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 20/08/2009 at 3:42:57PM
Total Posts: 1691
|
LukeM wrote:
> Ergghhhh, JavaScript is not secure.
> First rule of client side coding: Do not trust the client side.
Hmmm... see tag line! :¬)
Seems some JavaScripts are better than others...
It will 'brute force' it appears.
Hmmm... My Freeola Instant Site
|
|
|
|
Garin
"Devil in disguise"
Regular
on 20/08/2009 at 4:31:03PM
Total Posts: 2074
|
|
Clever script. More secure than many server side login scripts I've seen. :) I imagine that hash function produces many collisions so not something you can reverse engineer. Still as has been said, brute force and a few hours on a modern PC and you'd soon have all the answers.
I see no problem in using such scripts as long as people are aware of the limitations and realise that its possible for the url to be passed around etc.. I imagine theres an AJAX version around somewhere to help hide the url from being plainly visible on the browser too.
|
|
|
|
LukeM
"Imperfection"
Staff
on 21/08/2009 at 3:02:31PM
Total Posts: 70
|
|
Garin wrote:
> Clever script. More secure than many server side login scripts
> I've seen. :) I imagine that hash function produces many
> collisions so not something you can reverse engineer. Still as
> has been said, brute force and a few hours on a modern PC and
> you'd soon have all the answers.
>
> I see no problem in using such scripts as long as people are
> aware of the limitations and realise that its possible for the
> url to be passed around etc.. I imagine theres an AJAX version
> around somewhere to help hide the url from being plainly visible
> on the browser too.
Introducing AJAX with a back end script would be a more secure solution since it could do the secure part on the server side, however this wouldn't be possible with InstantPro, even if you could include JavaScript, since the AJAX call would need to be to another server which is a cross domain call that by default are blocked by modern browsers for security purposes :(
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 21/08/2009 at 7:59:57PM
Total Posts: 1691
|
I see no one since ButchML had an (illegal) peep yesterday has managed to view my JavaScript protected 'members' page!
But I can't see any of the doubters eating any humble pie either?!?! :¬P
Hmmm... My Freeola Instant Site |
|
|
|
Digitrader
"rodeado de tontos"
Moderator
on 22/08/2009 at 12:43:19AM
Total Posts: 898
|
|
Two failed attempts and a pop up box saying Incorrect password! then I cracked it popped in my next attempt and page refreshed and no pop up box so does that mean I win?
Do I get a GAD ?
Digi
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 22/08/2009 at 5:19:56PM
Total Posts: 1691
|
Digitrader wrote:
> Two failed attempts and a pop up box saying Incorrect password!
> then I cracked it popped in my next attempt and page refreshed
> and no pop up box so does that mean I win?
>
> Do I get a GAD ?
>
> Digi
Unlucky Digi - if you mange to reach the 'members page' you will see I've added a word you can quote which shows you've cracked it.
Hmmm... |
|
|
|
Garin
"Devil in disguise"
Regular
on 23/08/2009 at 5:06:24PM
Total Posts: 2074
|
|
Any news on that humble pie? Is it taking a long time to bake??
|
|
|
jj2
Regular
on 23/08/2009 at 5:09:14PM
Total Posts: 2
|
|
many thanks all, hav'nt a clue what you are talking about but thanks anyway,looks like i will have to get my 10year old granddaughter to sort it out for me
|
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 23/08/2009 at 5:41:33PM
Total Posts: 1691
|
jj2 wrote:
> many thanks all, hav'nt a clue what you are talking about but
> thanks anyway,looks like i will have to get my 10year old
> granddaughter to sort it out for me
Sorry your post went a little off-topic :¬)
The answer you were looking for was posted a while back:
Eccles(Freeola):
Page protection/user control is coming but there is no time scale yet.
Hmmm... |
|
|
|
Hmmm...
"Are you sure?"
Moderator
on 23/08/2009 at 5:42:41PM
Total Posts: 1691
|
Garin wrote:
> Any news on that humble pie? Is it taking a long time to bake??
lol :¬)
I was thinking the same...
Hmmm... |
|
|
|
LukeM
"Imperfection"
Staff
on 24/08/2009 at 2:32:22PM
Total Posts: 70
|
|
I haven't even bothered looking into this weekend, you can see me eat humble pie in the fact I could not reverse engineer it, but not in the fact it cannot be cracked, I could simply make a PHP script to loop from AAAAAAAA to ZZZZZZZZ using your hashing algorithm (converted to PHP version of) and have a result pretty soon. There will be many ways of getting to the number 56095 which is the number hash of your password.
I just cannot be bothered to code the loop through from AAAAAAAA to ZZZZZZZZ, so I never touched it.
|
|
|
|
LukeM
"Imperfection"
Staff
on 24/08/2009 at 2:34:29PM
Total Posts: 70
|
|
But anyway, as you say for small things JS can suffice, but it is never as secure as a back end solution as I am sure you would agree Hmmm...
|
|
|
|
Garin
"Devil in disguise"
Regular
on 24/08/2009 at 4:40:54PM
Total Posts: 2074
|
|
Looks like somebody's humble pie tasted very bitter. :P
|
|
|
|
LukeM
"Imperfection"
Staff
on 24/08/2009 at 5:52:48PM
Total Posts: 70
|
|
|
|
|
 |
|
|
