0

I'm trying to create a login page and having a few issues. Firstly, while the JS alerts on a wrong password, with the correct password it doesn't redirect to the secure page. Second, I feel like having the password in the javascript isn't really secure against anyone that knows how to view the source code of my site, so what would be a better way to hide this password (It will be the same for all users attempting to access the page)?

HTML:

<div id="container">
<div class="login">
<div class="login_side">
    <div class="login_inside">
    <h2>LOGIN</h2>
    <p>&nbsp;</p>
    <p><a href="../index.html">Go Back</a></p>
    <p><a target="_blank" href="Contact.html">Contact Us</a></p>
    </div>
</div>
<form>
    <label>Password</label>
    <input type="Password" name="password" id="password" />
    <input type="submit" value="Submit" name="submit" class="submit" onclick="LogIn()" />
</form>
</div>
</div>

JavaScript:

function LogIn(){
loggedin=false;
var pass="";
pass = document.getElementById("password").value;
pass=pass.toLowerCase();
if (pass=="login") { 
    loggedin=true;
    window.location.assign("TrainingSecured.html")
}
if (loggedin==false) {
    alert("Invalid login!");
}
}

JSFiddle: http://jsfiddle.net/cc7EV/

xmaslightguy
  • 23
  • 5
  • 4
    yeah so storing your pass in the javascript is a big no-no, send the info to a server and validate it there – Kevin L Aug 01 '14 at 20:34
  • Your `loggedin` variable is pointless. once you actually do manage to redirect to your new page, this page and all of its "state", including your `loggedin` variable, will no longer exist. – Marc B Aug 01 '14 at 20:36
  • 1
    JavaScript is no good for authentication without some server side handling, you're storing your password(s) in plain view of the public. – Wobbles Aug 01 '14 at 20:37
  • First rule in web developing: JavaScript is never secure. So is everything on the client side. – Derek 朕會功夫 Aug 01 '14 at 20:40
  • Okay, so what would be the best way to handle this server side? – xmaslightguy Aug 01 '14 at 20:41
  • Are you able to use something like [Node.js](http://nodejs.org/), [PHP](http://php.net/), [Ruby on Rails](http://rubyonrails.org/), or something similar? If you're on a free web host, this may not be possible. – Fengyang Wang Aug 01 '14 at 20:43
  • I think I can try to learn. This doesn't have to be all that secure, so simple is best. – xmaslightguy Aug 01 '14 at 20:44
  • PHP is pretty easy to jump into, just post your form data to a PHP file and if you want simple just do a ` HTML code of page here ` – Wobbles Aug 01 '14 at 20:46
  • This may help: http://bitmonger.blogspot.com/2012/07/six-simple-rules-for-secure-storage-of.html It isn't the answer to your question, but it is an important list of things to think about. Concerning "doesn't have to be too secure," do not forget that people reuse passwords. You owe a duty of care to others, as well as to your own application. – Bob Brown Aug 01 '14 at 20:48
  • @xmaslightguy If you're new to this, start with the basics. Here is good reference: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication – Sid Aug 01 '14 at 20:49
  • A "simple" (but very insecure) way of doing it would be to name the file "secure-pa55w0rd.html". Use this *only* if your web host does not allow a server-side solution. – Fengyang Wang Aug 01 '14 at 20:49
  • Well I use godaddy, so does that offer or prevent any of these solutions? – xmaslightguy Aug 01 '14 at 20:53
  • @BobBrown There isn't a username or database involved. I will determine the password and hand out the same one to each of my customers – xmaslightguy Aug 01 '14 at 20:54
  • You'll still need to store the password someplace. As others have explained, you cannot trust client-side code. And if you pick the password, be prepared to handle lot of "lost password" inquiries. You really should think about username/password combination unless you can count the users on one hand. – Bob Brown Aug 01 '14 at 21:00

1 Answers1

0

You should never save the authentification data in a Javascript file.

The best way to authenticate a user, is that you use a database at the backend. Passwords should never be saved in plain text, because if a hacker might get access to your computer, he could easily read it. That's the reason why hashing algorithm exists. (The strongest one are bcrypt & scrypt. Most others hashing algorithms, like the message-digest algorithm, has security flaws and can be broken). The trick here is now, that you modify the password with a random salt, so you can't read the real password which is stored in the database.

If you think that is maybe too much work, have a look at basic access authentication. (Sorry, I can't post another link. I don't have much reputation.)

But you should not forget to use a secure connection with the server. (See Man-in-the-middle attack)