Password Protection with a Slight Twist

[BooYaKaSha]

Hello -

I am working on my company's Website. We need a client review page, where clients can enter their unique password into a form field, and are directed to a page for them to review work we have done for them. What I need is a relatively simple password script to achieve this.

The catch is that we need to be able to uniquely identify our clients by their password, then based on that password, direct them to their appropriate page. Each client will be taken to a different page.

So far, the best option I have found is a free javascript called "gatekeeper" that I discovered here:

http://javascript.internet.com/passwords/gatekeeper-in.html

The script does not need to be airtight unbreakable, just reasonably secure. Will this script do what I need? Are there any concerns I should be aware of? Are there any better solutions?

Thank you very much for your help.

 

[EdwardMartinIII]

Here's a no-brainer "vaguely secure" method of separating client files: Set up a series of subdirectories for clients, based on alpha-numeric strings. So, if they want to go to your home page, it's

http://www.wangdoodle.com/

but for that client, their "password" is "7yhju89op", so you build a subdirectory of that name. If they want to review their work, send them to

http://www.wangdoodle.com/7yhju89op/

which is "reasonably" secure depending on how much acid you give your cat before she walks across the keyboard typing out the password list.

Heh, you could even give them a fancy little query window "Please type your password" and then compose the new path and route them from there. It'll look cool and they'll probably wonder how you managed to get their password to resolve into a URL!

Cheers,
Edward

"Cut a hole in the door. Hang a flap. Criminy, why didn't I think of this earlier?!" -- inventor of the cat door

 

[AdamBrill]

You can't make a javascript password that is secure(or even somewhat secure). Anyone can hit view->source and figure out what you are doing. The only way to make it secure is to use server-side. It is relatively easy to do with PHP, so, if your server supports it, that is what I would suggest.

 

[xutopia]

I have to say I agree with Adam on this one. PHP or Apache passwords are so easy to set up. Javascript cannot provide just-good-enough security.

There are plenty of flaws with the gatekeeper script and in security the strength of your chain is as good as the weakest link it contains. Don't depend on fake password protection. Use something real. Gary

http://www.xutopia.com

Haran

 

[BooYaKaSha]

Cool thanks for the advice.

I understand what you all are saying about security with Javascripting, but unfortunately I don't have enough time to learn PHP tonight. But I will look into it in the future.

For this purpose, the gatekeeper appears to be good enough -- we really don't care in the end if someone else gets access to it that really wants to, we just want to avoid posting it out in the open for the average Joe, and also to make the client feel better about it.

Thanks again.