hwg-techniques archives Aug 2000 new search results previous next

Re: Implementing Password Protection on a Unix hosted web site.

by "John Murray" <jmnc(at)lis.net.au>

 Date:  Fri, 11 Aug 2000 08:53:38 +1000
 To:  <ideas(at)creativegenius.ca>
 Cc:  <hwg-techniques(at)hwg.org>
 References:  achilles
  todo: View Thread, Original 
Perl script that looks up from a file username and pasword pairs, call the
perl script from a form, have some code in the script which changes the
password submitted to check against the password as recorded in the text
file of username/pasword pairs ... it's not rocket science, and I'm sure
NASA has a whole heap of other processes they can lie between the password
submission and any other processes that the user gets to use once they have
provided their password but ....

Make sure you have a heap of script names in your script folder. Call the
password lookup 234bhg4.pl and call a bogus script "passwordcheck.pl" that
returns when hit "Welcome - we have a thorough password system - Please
eneter your password". This bogus script then just returns "Now re-enter for
time number 2" - just keep iterating the process and incrementing the times
through.

234ghg4.pl takes a password, adds a number to it which you have to keep
constant or change the passwords in the actual password file at the same
time as you change the number. That is If I have a password 2468 and the
shift number is 13 then the paswword file will have 2481 as my password.

You make the numbers a little longer, and you can get fancier on your
encryption.

Then you can embody in the returned form heaps more hidden values that are
needed to make a script run that takes the user deeper into your datafiles.
You know, a <input type="hidden"> that is datetime stamped by the server,
and when the form that is the next step the user wants to take is submitted
test to see if time is more than 5mins - if it is - password again.

Maybe this is too simple for what you need. It's what I use. I've often
wondered what I was missing out on by doing this myself and delving into
other levels of it. I have a virtual website only though.

When I think it through, I find that I come to the conclusion that other
levels of security can only be variations of what I have put above here. I
mean, you have to compare something against something to say yes or no to a
request.

John

----- Original Message -----
From: <ideas(at)creativegenius.ca>
To: <hwg-techniques(at)hwg.org>
Sent: Friday, August 11, 2000 6:03 AM
Subject: Implementing Password Protection on a Unix hosted web site.


> Greetings List:
>
> We have a client who's site will be hosted on a UNIX server.  They wish to
> password protect access to a particular page on this site.  In the past if
> we have been asked to provide this feature we have used Coffee Cup's
> Password Wizard which uses a .class file and encrypted HTML code.
>
> Any ideas ?
>
> Thanks
>
>
>
>
> Simon Rolfe
> Creative Genius Communications
> www.creativegenius.ca
> (613) 566-5506
>
>

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA