Forum Moderators: phranque
The relevance of this question to my current work is that I am trying to implement a javascript password system:
----------------------------------------
PASSWORD SCRIPT
------------------
If a visitor wants to go the the password protected page, they must first enter the correct password on the previous page. (Note: The password is the protected filename without the .html ending.)
This method is secure as long as the person cannot find out the name of all the files on your server. Is it possible to stop them knowing the names of all the files on my server?
---------------------------------------
<BODY>
<SCRIPT LANGUAGE="JavaScript">
var password = ''
password=prompt('Please enter your password:','');
if (password!= null) {
location.href= password + ".html";
}
</SCRIPT>
</BODY>
So my question is:
Is it possible for a website viewer to see all the filenames on my server? Perhaps to bring up some kind of index to see all the filenames on my server?
If so they would be able to crack this password system. Tragedy!
By the way - I know that server side is the way to go for security - but just humour me. I am trying to do it with javascript.
Would really appreciate some advice. Thanks guys.
Is it possible for a website viewer to see all the filenames on my server? Perhaps to bring up some kind of index to see all the filenames on my server?
If anyone can answer this i would be so grateful
Javascript can direct to those pages outside the directory.
Talk to someone who specializes in web-server administration to set you up.
Good luck!
However, as you know, using Javascript is not secure, so if you disable Javascript on your browser your page becomes unprotected. In the same way, search engine spiders don't read Javascript, so (assuming all the pages are linked to each other) a spider can build a complete list of pages. A user can then type
site:http://www.example.com/
So, if I do not have a page called index.html then I am vulnerable? Is this what you mean? And if I do have a page called index.html - then I am covered? They cannot use the index.html file to find out what files are in my directory? Because I have already taken up the index.html option
------
Do you know any resources that discuss disabling indexing on a web site? How would a user even go about indexing a site and finding all the filenames on it? I dont actually know how it is done - I just heard that it can be done (if indexing is not disabled).
-------
If I have two directories - I have my protected content in its own directory. When I link to web pages in this protected directory from my login page - do I need to put the path mentioning the name of the protected directory? So, then they will know the name of my protected directory by looking at the source code for the login page.
-------
I am not going to get my site indexed by any search engines (well not these components of the site anyway - will have a bit of cloaking going on.) So I guess I dont have to worry about the google issue
Thanks a lot guys. I am so sorry for being a bit slow on the uptake. But i am a bit new to this kind of thing.
[widgets.com...]
[widgets.com...]
If you see a list of file names, you need to act.
If your server is Apache running under Linux/Unix, adding an appropriate ignoreindex directive to the .htaccess may help
But that still does't stop people visiting pages if they can find the name of it:
To properly protect resources that you want to restrict to specific visitors, think about serving the content via a CGI script. And that script has to check that the visitor is welcome -- the usual way is to check for a cookie your gav ethem when they supplied a valid password.
