Creating a Self-Changing Hyperlinked Text Ad

Simple Password Checking

The simplest technique for making a site password-protected with JavaScript is simply to request a password, verify it, and then allow the visitor to pass if the password is correct. The following example demonstrates this technique, and is illustrated in Figure 18.1. The file name of this example is Bad_Checking.html.

 <html>   <head>     <title>          Password Protected Site      </title>     <script language="JavaScript">      <!--          function verifyPassword( word )           {             return( word == "sesame" );           }       -->       </script>    </head> <body>   <form action="Continue.html"               onSubmit="JavaScript: return(verifyPassword(this.password.value));">         Please enter your password:&nbsp;        <input type="text" name="password" size="20"><br>        <input type="submit" value="Submit">    </form>  </body> </html> 

Figure 18.1: A simple (but not very secure) password-protected site.

At first glance, this might seem like a viable solution to creating a secure Web site. Once the visitor clicks the Submit button, the form validates the given password. If the password is correct, the form submits to Continue.html; if the password is not correct, then nothing happens. Unfortunately there is a very big flaw in this plan—all the visitor has to do to break into your site is to look at the source for the page! The problem is compounded by the fact that the browser itself allows the visitor to view the page source.

This technique might prevent an average surfer from breaking into your site (actually, they woudn't be average; they'd have to be someone who had never seen a computer, let alone surfed the Web!), but would do little to prevent even the least knowledgeable cracker from breaking in. So the problem is not how to create a password-protected Web site, but how to keep the visitor from viewing the source.