JavaScript log-in validation by-passed by IE8

Question

I have a log-in web page that uses JavaScript for name and password validation. It works fine in Mozilla Firefox, but IE8 allows logging in without entering name and or password. It posts a script-restriction warning which, when you click on it, you can chose to enable the JavaScript. That's fine except you can just bypass that step by clicking the Log In button on the web page and you're in. That's a big problem. So it's not running the JavaScript. That defeats the whole purpose of the page.

This (xhtml) form tag calls the JavaScript:

form name="form1" action="TestAccess.htm" onsubmit="return butCheck_onclick()"

This input tag contains the log-in button:

input type="submit" class="center" value="Log In"

I need some kind of work-around so that I can fool IE into either running the JavaScript before loading the next page or some way of stopping the HTML from allowing the next page to load before it runs the JavaScript. But then why would I need the JavaScript if I could implement such restrictions in HTML? I hope I'm making sense. Thanks for any help you can give. ---Andy V.

Here's the JavaScript function I have:

<script language="javascript">
 var global=""; 
 function butCheck_onclick()
   {
     var password = document.form1.password.value;
     var Name = document.form1.memName.value;
     /*if(Name=="")
     {
       alert("Enter User name and password.");
     }  */
 var swFound= "NF";
     var valName= new Array();
     valName[0]= "Roland";
     valName[1]= "Korg";
 valName[2]= "Peavy";
     var valpassword= new Array();
     valpassword[0]= "123";
     valpassword[1]= "456";
 valpassword[2]= "789";
     for(var loop=0; loop < valName.length; loop++) 
       { 
         if(Name==valName[loop])
           { 
         swFound="F";
         if(Name!=valName[loop])
           {
         swFound="NF";
           }         
             if(password!=valpassword[loop]) 
               {
         alert("Invalid password. Please enter a valid password.") 
             document.form1.password.focus();
                 document.form1.password.select();
                 return false; 
           }
           }
       }
     if (swFound!="F")
       {
     alert("Invalid last name entry. Please enter a valid last name.")
     document.form1.memName.focus();
         document.form1.memName.select();
         return false;
       }
    }
</script>   

Answer 1

You should never do authentication on the client side. Always do your username/password check on the server side.

In your code, for example, all I would have to do is view the source of the page and copy/paste the username and password.

or even just copy paste the destination url.

Furthermore, simply disabling javascript would clearly be enough.

The only validation you might do on the clientside is determining (at registration time) if the entered values are of the right length, etc. (and duplicated on the server side)

EDIT: see The definitive guide to form-based website authentication for some good advice from SO users on website authentication.

Answer 2

You can use this code:

form name="form1" action="TestAccess.htm"
input type="button" class="center" value="Log In" onclick="butCheck_onclick()"

function butCheck_onclick() {
  // do validation returnig false if something is wrong

  // when all is good submit the form
  form1.submit();
}

IMPORTANT notes:

1. You force your users to have javascript enabled. Maybe this is not a problem in your project.
2. Do you realize that anyone who does a "View source" will see the usernames and passwords?

Answer 3

What's the purpose of JavaScript embedded passwords? "As is" anyone can see these just by doing "View Source"? But basically you need return false not FROM within for loop but AFTER if your condition fails