advertisement -- please support sponsors

security:
password-protecting private documents

I don't have access to my web server's configuration files or the cgi-bin directory. How can I use JavaScript to ask for a password for private documents?

When you can't configure the web server that is serving your pages, and you don't have access to the server's cgi-bin directory, most of the time the only remaining option for restricting access to your documents is what I call PPP -- the "Poor-man's Password Protocol." (Who says PPP has to stand for "Point-to-Point Protocol? :-)

In PPP, the password required to access a private document is embedded in its URL. Since the URL is required to access the document, keeping the URL secret is an effective way to prevent unauthorized access to the document.

Of course, if you are going to use PPP to protect certain pages, then you can't directly link to those pages from your unprotected pages, since that would reveal the URL. You should also disable directory browsing. You can probably do this even if you don't have access to your server's configuration files.[note]

For example, suppose we have a public page, located at

http://mysite.com/~MyAccount/home.html,
and a private page, located at
http://mysite.com/~MyAccount/xyzzy.html.
People will not be able to access the private page unless they know its URL. Thus, as long as we keep the URL secret, and other users can't browse our directories, our secret page will be protected from unauthorized access. Of course, this also means that we can't include links to the private page from our public page, since that would give away the secret URL.

However, not all of the private URL needs to be kept secret. The first part, "http://mysite.com/", is certainly no secret; neither is the last part, ".html". So why don't we use JavaScript to ask for only the secret part of the private document's URL? If we can do this, then we can also link our public document to the private document without revealing the private document's URL.

This is easy to do. First, we include a special function called load_private_page in the header of home.html. The purpose of this function is to ask the user for a password (the secret portion of the private page's URL), and then to combine it with the public portions of the URL and load the private page. The following HTML/JavaScript code shows one implementation of the load_private_page function:

<html>
 <head>
  <script>

function load_private_page
	(	// Parameters:
		prefix, // non-secret portion of
			// URL before the password
		postfix // non-secret portion of
			// URL after the password
	)
{
	// Get secret portion of URL from user:
 	password = prompt ("Access to this page is restricted. " +
		"Please enter access code:", '');

	// Construct entire secret URL using
	// secret and non-secret portions:
	secret_URL = prefix + password + postfix;

	// Load the secret document:
 	document . location . href = secret_URL;
}

  </script>
 </head>
 <body>
.
.
.
(main document body, including links to public and private pages)
.
.
.
 </body>
</html>
How do we code the hyperlinks to private pages? They should be coded as calls to load_private_page function. Did you know you can place JavaScript code in the href field of a hyperlink? Do it like this:
<a href="javascript: load_private_page ('http://mysite.com/', '.html');">
 private page
</a>
When users click on hyperlinks like this, the load_private_page function will ask the user for the private portion of the private document's URL. Then, the user's input will be combined with the public prefix,
http://mysite.com/
and the public postfix,
.html
to form the complete secret URL. If the user has entered the correct password (xyzzy), he will receive the requested page:
http://mysite.com/~MyAccount/xyzzy.html
If he gets it wrong (idontknow), his browser will attempt to load a document that doesn't exist:[note]
http://mysite.com/idontknow.html,
In this case, the server will probably return a "document not found" error.

And there you have it, ladies and gentlemen: "Poor-man's Password Protection!"

Charlton Rose
11/30/96