 |
||||
|
Password
Protection
(ver ) Demos
How-to Cautions Issues
BUY IT
Discontinued. This page is online only as Help for current users.
Compatible with DW4 and UD4 ONLY
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For the new, and much improved version, compatible with DWMX, MX2004, and likely DW8, please go here.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
As you know, password protection schemes using javascript are notoriously easy to break through. They all require pattern matching which can be easily defeated simply by looking at the Page Source in any browser.
Unlike other javascript password techniques, this one employs not only simple but quite effective protection. This new extension DOES use javascript, but DOES NOT employ pattern matching, so can not be broken. Well at least no more than any other password system can be broken (except by true hackers, from whom even the Pentagon is not secure). Peeking at the Page Source will NOT reveal any passwords! (If you don't believe this, just try looking at the Source of THIS page for the demos just below.)
What this behavior is doing is allowing a friendly way for your users to enter a hopefully obscure folder and or file name! It is the obscurity of these names that really determines how safe you are making your files.
| Demos : |
To
demonstrate what the user gets to see, try these:
Protecting
a folder, you ask for only a UserID (My server does not allow
directory listing, so I've borrowed a client's site, with permission,
for this demo. After you give up trying to break in, the UserID is
3je9ua4 )
Protecting a folder and a file within it, you ask for both the UserID (folder name) and the Password. After you give up trying to break in, the UserID is sears2t4w and Password is contactus
Protecting a file within the current folder, you ask for only the Password (file name minus its extension) After you give up trying to break in, the Password is mock_file4r2 which is an empty javascript file for download, you need not actually bother downloading it.
Protecting just the file within another folder, you ask for only the Password (file name minus its extension) After you give up trying to break in, the Password to this treasure map is mock_img339
| How-to: |
This
cross-browser compatible behavior can be applied to any linked
element on your page. Typically it is best to use a null link like "javascript:;"
to prevent the page from jumping to the top when the element is clicked.
Do NOT make the mistake of creating a link to your protected page. Just
a null link:
When the user clicks on the link, she will be presented with a simple popup box. You get to decide whether she will be required to enter a UserID, a Password, or both, before she can gain access to the protected files.
So what makes this protection scheme different?| Password | = | Actual filename of the file you are protecting (minus its extension) |
|
||
| UserID | = | Actual foldername where that file resides |
In its simplest form, a UserID (foldername) is not even required if you simply keep your protected file right in the current folder. Only a Password (the file name minus its extension) will then be required for access. In this case you would want to be sure to give your file a really tricky name (which will be its Password), like "4si8je1k.htm" .
To organize your files better, you may want to place your protected files in a folder just below the current folder. Name this folder, or the files within it, as simply or as obscurely as you wish, with names as simple as "auntmaggie" to as obscure as "4si8je1k" . Just be sure that either the folder name (the UserID) and/or the file name (the Password) is hard-to-guess.
With this schema your files are safer than with any other known javascript-based technique. There is no password visible to a snooper of your page's Source. Without knowing how you've named your folders and files, a snooper can not get to your files. As stated earlier, this behavior simply creates a user-friendly interface for those with permission to access your protected files. Be sure to see below some additional steps you need to take to be sure a snooper cannot gain access to your directory tree.
The Behavior's Design Time Dialog:
Basic Users should leave the PassProtect popup location set to current folder (See the dialog above).
1) If you wish to require ONLY a Password and no UserID, then you would place your protected file right in the current directory. The Password is simply the the file name (minus its extension). That's it. You're done.
2) If you wish to require a UserID (+/- a Password), you should manually create the folder to be protected just below the current folder. The name of that protected folder will be the UserID. And if you wish to protect individual files in that folder, their file names (minus their extensions) will be their Passwords. (Of course you may have as many folders/UserIDs as you wish as well).
As an example, if the document-relative path to a file you wish to protect is:
protected_dir1/file1.htm
the UserID will be 'protected_dir1' and the Password will be 'file1'
It's as simple as that!There is one important caution to note, see below.
Advanced Users may optionally change the PassProtect popup location to a folder anywhere on the site or indeed on a foreign site.
1) If you wish to require a UserID (+ / - Password). As an advanced user, you may place the Password Protection popup in ANY folder on your site (or even on a remote site, with an absolute URL). You will then be protecting folders just below this one. To clarify, if the document-relative path to a file you wish to protect is:
../folder1/protected_dir2/file2.gif
you would place the PassProtect popup in folder1 and you would be protecting protected_dir2 (= the UserID) and within it, file2 (= the Password).
There is one important caution to note, see below.
2) If you decide to require ONLY a Password and no UserID, then you would place the PassProtect popup (actually the file 'vwd_PassProtect.htm') right in the folder along with the those files you wish to protect.
So in the above example, you would place the code right in protected_dir2 .
Possible
uses:
You
have multiple web design clients. With PassProtection you can
set up a hard-to-guess directory for each client and ask them to enter
this as a UserID. If your server allows directory listing, they will see
a list of all their files and can click on any of them. If your server
does NOT allow directory listing, you may include a default file, like
index.htm, which will open automatically when they enter their UserID.
This file may be the true index file for their site or may be a special
one in which you have added links to whatever files you wish them to comment
on. OR you may even use a separate server (by giving an absolute URL [http://......]
as the location for the PassProtect popup) that does allow listing
directory content. OR you may have them enter both the UserID (again,
folder name) AND a Password (again, file name) to access some specific
file. See the important cautions, below.
You wish to protect the download of files, for example when you sell software online. You can protect your files with either or both UserID and Password. You'll want to make to be sure and make the files names hard to guess so someone who has been given permission to download one file would not have an easy time guessing the names of the others. For example, I make both the UserID AND the Password hard-to-guess, like "3k9rij5rr" for the former and "MyNewExtension_hj4ehdfg.mxp" for the latter.
That's all there is to it!
| The Cautions : |
If you choose to ask for UserID (folder name) only, that is, to NOT also require entry of a Password (file name) then be aware that, assuming your server allows directory listing at all, the resulting list will include a link to the directory above the protected one. Unless you take one very simple step, simply clicking on that link will reveal the directory names (UserIDs) of ALL your supposedly protected directories.
The simple step to prevent this? Simply be sure to add to that directory a default index.htm (or default.asp or .php or whatever) which will open automatically instead of revealing the directory tree. To reiterate, make sure the folder which contains the PassProtection popup file (vwd_getpass.htm) has a default index file if you plan to opt for only UserID protection. If you are not sure, it is fine to place a default file in every folder on your site.
Also be aware that unlike server-side protection techniques, this one is not really adding any actual protection! What it is doing is allowing a friendly way for your users to enter a hopefully obscure folder and or file name! It is the obscurity of these names that really determines how safe you are making your files. In challenge tests performed by my beta testers, not once was a protected folder or file broken into. (Of course your results may vary. We are an equal opportunity screw-up.)
For
most situations this next will not be a major concern, but I want you
to be aware of it. Someone may innocently Bookmark the protected folder
or file. Then someone else could come along and access it from that computer.
If this is a concern to you, depending on what you are trying to protect,
it might be best NOT to use ANY client-side protection scheme. Server-side
protection is always to be preferred for really private stuff.
| Known issues : |
Version 2.2, which supports Frames, requires that the user mouse-click the Go button, as the Enter key is disabled.
No significant problems have yet been found. I will notify all users by email should any arise.
Please do not hesitate to ask for clarification of any aspect of this Behavior. All questions will be answered and may ultimately appear on this page as well.
I am ready to help you by writing javascripts, or that specialized Dreamweaver extension you've always wanted, on a contract basis. Just email me.