tags:

views:

231

answers:

5
Q: 

Password protected hyper link with target=_blank

I have a hyper link like this :

<A Href=My_Java_Servlet?User_Action=Admin_Download_Records&User_Id=Admin onClick=\"Check_Password();\" target=_blank>Download Records</A>

When a user clicks on it, a password window will open, the user can try 3 times for the right password.

The Javascript looks like this :

<Script Language="JavaScript">
  function Check_Password()
  {
    var testV=1;
    var pass1=prompt('Password','');
    while (testV<3)
    {
      if (!pass1) history.go(-1);
      if (pass1=="password") { return true; }
      testV+=1;
      var pass1=prompt('Access Denied - Password Incorrect.','');
    }
    return "false";
  }
</Script>

If user enters the wrong password 3 times, it's supposed to not do anything, but it still opens a new window and displays the protected info, how to fix the javascript or my html hyper link so only the right password will open a new target window, a wrong password will make it do nothing ?

A: 

Why are you returning "false" instead of false ?

Geo  2008-10-30 17:02:58
+1  A: 

You might to try returning false rather than "false"

However, you might be better off doing this kind of thing on the server, as I'd image all but novice users will know how to "copy link address" and paste this into their address bar.

David Kemp  2008-10-30 17:03:28
+11  A: 

Clientside JavaScript is perhaps the worst possible way to provide "security". Users can just view the source to see all of your passwords, or just disable JavaScript altogether. Do not do this.

swilliams  2008-10-30 17:05:58
+7  A: 

Other people have answered your question with the true/false return value but here's some of the problems with the whole idea of checking the password in javascript on the client:

  1. Your javascript source is freely readable by anyone downloading the page - thus showing them the password needed to view the page.

  2. If they don't have javascript enabled then they'll just go straight to the page without getting the javascript prompt.

  3. They could always just copy the link and paste it into their address bar to bypass the password protection. They could also just middle-click the link (which should open it in a new tab/window depending on their browser.)

Even on a private/intranet-only application this would be a laughable security method. :) Please consider re-desinging it so that the password is checked on the server-side portion (like when someone attempts to access the servlet it would render a password box and then post that password back to the server and then allow/deny access.)

Lance McNearney  2008-10-30 17:10:55
Seriously, the people trying to help fix the script are like a parent showing a child exactly how to stick a knife into the electrical outlet...
swilliams  2008-10-30 17:13:16
A: 

Yes, great advice, I'll check it on the server side, thanks folks !!!

Frank

Frank  2008-10-30 17:14:22

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?