[Previous] [Next] [Index]
[Thread]
Password protected pages.
I tried to send this message directly, but I'm not sure what to do with a
hostname like this one! (Perhaps the '}' is an ISO-Latin character?)
550 ottsmtp.}.esc.lmco.com (tcp)... 550 Host unknown
554 <EHAMILT@ottsmtp.}.esc.lmco.com>... 550 Host unknown (Authoritative answer from name server)
Subject: Re: Password protected pages?
In-Reply-To: <31F3A3FE@monsmtp.esc.lmco.com>
Message-Id: <Pine.ULT.3.93.960723101936.14130B-100000@hummingbird.whiteshell.com>
X-Url: http://www.whiteshell.com/jacob
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> 1. My understanding is that some java code can be hidden from the viewer
> via the "View Source" option (i.e., selecting "View Source" will not reveal
> it). This does not necessarily mean that people can not "capture" this
> code, it just means that they can not easily view it from the "view source"
> (in netscape).
This is true; you can write Java code that will make it at least a pain to
see what's behind it - however, Java is not HTML, and there's no way to
"compile" HTML to get the same effect. I expect the person who originally
asked the question was simply interested in protecting his technique from
duplication - to me, that's misguided; protect your content. HTML is
pretty trivial to "reverse-engineer" just by looking at the results
anyway, and letting people see how you do things helps grow the web!
> 2. I am not too familiar with a server's authentication scheme, but if
> pages x, y, and z exist and x requires a password to access (and contains
> two links to y and z), can I not just bypass it by making a bookmark at page
> y and/or z within the secured area and then jumping directly to that page?
> Sure I need the password once, but once I know where these pages are
> located, can I not access them? Certainly in some security implementations
> you can do this (I have done this before).
It depends on the server, as the respondant declared - you really need to
check your server's security system to find out how to set up protective
passwords. Now, it is true that if someone built their own FORMs-based
password system, there could easily be many ways around it, but
server-controlled password protection is usually pretty secure. In the
CERN/W3C server and NCSA, for instance, password-protecting a directory
(ie, a page) protects all subdirectories as well; it's not a matter of
knowing where those pages are - even if you have the correct URL, you'll
need to log in to a subpage the same way you would log into the top-level
page.
Jacob Rose "The truth is where the sculptor's
jacob@whiteshell.com chisel chipped away the lie."