Password protected pages.

• To: www-security@ns2.rutgers.edu
• Subject: Password protected pages.
• From: Jacob Rose <jacob@whiteshell.com>
• Date: Tue, 23 Jul 1996 11:43:46 -0400 (EDT)

I tried to send this message directly, but I'm not sure what to do with a
hostname like this one!  (Perhaps the '}' is an ISO-Latin character?)

550 ottsmtp.}.esc.lmco.com (tcp)... 550 Host unknown
554 <EHAMILT@ottsmtp.}.esc.lmco.com>... 550 Host unknown (Authoritative answer from name server)

Subject: Re: Password protected pages?
In-Reply-To: <31F3A3FE@monsmtp.esc.lmco.com>
Message-Id: <Pine.ULT.3.93.960723101936.14130B-100000@hummingbird.whiteshell.com>
X-Url: http://www.whiteshell.com/jacob
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

> 1.   My understanding is that some java code can be hidden from the viewer 
> via the "View Source" option (i.e., selecting "View Source" will not reveal 
> it).  This does not necessarily mean that people can not "capture" this 
> code, it just means that they can not easily view it from the "view source" 
> (in netscape).

This is true; you can write Java code that will make it at least a pain to
see what's behind it - however, Java is not HTML, and there's no way to
"compile" HTML to get the same effect.  I expect the person who originally
asked the question was simply interested in protecting his technique from
duplication - to me, that's misguided; protect your content.  HTML is
pretty trivial to "reverse-engineer" just by looking at the results
anyway, and letting people see how you do things helps grow the web!

> 2.   I am not too familiar with a server's authentication scheme, but if 
> pages x, y, and z exist and x requires a password to access (and contains 
> two links to y and z), can I not just bypass it by making a bookmark at page 
> y and/or z within the secured area and then jumping directly to that page? 
>  Sure I need the password once, but once I know where these pages are 
> located, can I not access them?  Certainly in some security implementations 
> you can do this (I have done this before).

It depends on the server, as the respondant declared - you really need to
check your server's security system to find out how to set up protective
passwords.  Now, it is true that if someone built their own FORMs-based
password system, there could easily be many ways around it, but
server-controlled password protection is usually pretty secure.  In the
CERN/W3C server and NCSA, for instance, password-protecting a directory
(ie, a page) protects all subdirectories as well; it's not a matter of
knowing where those pages are - even if you have the correct URL, you'll
need to log in to a subpage the same way you would log into the top-level
page.

Jacob Rose                      "The truth is where the sculptor's
jacob@whiteshell.com             chisel chipped away the lie."

• Previous: More cookies
• Next: Re: about cookies: draft-ietf-http-state-mgmt-03 available
• Index(es):
  • Index
  • Thread