Search the web
Sign In
New User? Sign Up
BbshopWebGuild · Barbershop Webmasters Guild
  • Members Only
  • Post
  • Files
  • Photos
  • Links
  • Database
  • Polls
  • Members
  • Calendar
  • Promote
  • Groups Labs (Beta)
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Want to share photos of your group with the world? Add a group photo to Flickr.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

   Messages Help
Message #
Search:
Advanced
Publishing Chorus Roster on Password Protected Web Site   Message List  
Reply | Forward Message #561 of 912 |
RE: [BbshopWebGuild] Publishing Chorus Roster on Password Protected Web Site

Gary,
 
I looked at the actual script you got from DynamicDrive.com.  That technique is not a secure way to protect your information.
 
The script essentially converts your password from an alpha string to a hex string, and compares the hex value to the one stored in your script.  Any web visitor viewing the input screen that accepts your password can unravel this scheme.
 
Just View Source on your password page, and you'll see the script (it is javascript, after all).  Once you see the code, it is easy to reverse-engineer it.
 
In fact, you can even figure out the name of the target page (your roster page, phone tree, or other page) by examining the script.  It is VERY insecure.
 
A better solution would be to use a database of some kind to store the actual password.  You should never store the actual password, encrypted or not, in the actual html page. 
 
As webmaster of the Big Chicken Chorus, FREDquartet.com and a whole host of other websites, we use Microsoft ASP and server-sided scripting to provide this functionality.  Even without a database, you can store the password as a server-side variable and validate it.  The web viewer never sees the source code or the password - it's only stored internally on the server.
 
Then set a session variable to "keep it" in memory.  That way, all of the pages you want to protect can check the session variable to see if the user has signed in.  If not, every one of those protected pages is routed to the login screen.
 
If you'd like more information about these techniques, please let us know.
 
Steve Stern
Star-Tech Consulting
webmaster@... (and others)
 
 From: Gary Efron [mailto:garyefron@...]
Sent: Wednesday, May 12, 2004 1:08 PM
To: BbshopWebGuild@yahoogroups.com
Subject: [BbshopWebGuild] Publishing Chorus Roster on Password Protected Web Site

I am webmaster at the Paradise Valley Chapter at
www.cactuschordsmen.com. We have a password protected page that links
to our calling tree (both in Adobe Acrobat and MS WORD files), and our
weekly bulletin. I am using Dynamic Drive DHTML Scripts- Encrypted
Password script gotten at
http://www.dynamicdrive.com/dynamicindex9/password.htm. A member
suggested that I also put the chapter roster, which any SPEBSQSA
member can get for any chapter, on that password protected page.

My fear is that some robot will examine every page that it can harvest
for text that looks like email addresses, and use it for SPAM. I ran a
program called Webreaper that recreates a site that can be looked at
off-line. It was not able to find (or re-create) the password
protected page nor any of the files that page links to. Do you think
it is dangerous, in poor taste, or ethically incorrect to publish the
roster on the password protected page?

Chord-ially,
Gary Efron
webmaster@...
SINGgaryefron@...
Wed May 12, 2004 6:00 pm

Show Message Option
sstern@...
Send Email Send Email

Forward 		Message #561 of 912 |
Expand Messages Author Sort by Date

I am webmaster at the Paradise Valley Chapter at www.cactuschordsmen.com. We have a password protected page that links to our calling tree (both in Adobe... 		Gary Efron
eprom
Offline Send Email 		May 12, 2004
5:09 pm

We publish our roster on our password protected page. Jim Adams RTP General Assembly webmaster ... From: Gary Efron [mailto:garyefron@...] Sent: Wednesday,...
Jim Adams
jimadamsss
Offline Send Email 		May 12, 2004
5:29 pm

Gary, I looked at the actual script you got from DynamicDrive.com. That technique is not a secure way to protect your information. The script essentially...
Steve Stern
sstern@...
Send Email 		May 12, 2004
6:05 pm

Six months ago, Scott Hoge from Kenosha sent out a great package that integrates the chapter web site members-only function with the Society web site. That...
Phil Richards
pcr06897
Offline Send Email 		May 12, 2004
6:28 pm

At Big Chicken Chorus, the roster is developed dynamically out of the database, so it is never a static page. The members are charged with maintaining their...
Shelby Robert
srobert3_99
Offline Send Email 		May 12, 2004
6:15 pm

Additionally, we run a commercial site that issues a password to each user and tracks and reports everything they download. Overkill for a chapter, but you...
David M. Dantowitz
david@...
Send Email 		May 12, 2004
9:48 pm

Even ASP security, although significantly better than the JavaScript method, is still not always the best either. I prefer to password protect the directory...
Daniel Garcia
padrino_yh
Offline Send Email 		May 12, 2004
6:22 pm

Here in Northbrook, I protect the members only website with phpSecurePages (http://www.phpsecurepages.com/). We use the SPEBSQSA RPC to check passwords -- this...
Mike Saeger
devmrs
Offline Send Email 		May 12, 2004
6:53 pm

I'd be interested in seeing sample code for all that Mike, any chance you can do that? Bruce Checca...
Bruce Checca
bchecca1
Offline Send Email 		May 12, 2004
8:21 pm

One other element to consider is that you may not wish to publish information on members who are minors. You may also wish to get a written approval from each...
David M. Dantowitz
david@...
Send Email 		May 12, 2004
9:56 pm

Hi Bruce. I'd be happy to share anything I just need to understand what you want to do and how I can help. If your website is running on Apache and has PHP and...
Mike Saeger
devmrs
Offline Send Email 		May 12, 2004
9:33 pm

re: http://www.dynamicdrive.com/dynamicindex9/password.htm If you have the ability to hide a password behind a CGI or use the password protection feature of...
David M. Dantowitz
david@...
Send Email 		May 12, 2004
9:45 pm

I've got a pretty good solution on the Green Bay chapter web site (http://www.baylanderchorus.org/). I wrote a script that downloads the roster data from the...
Scott Crevier
ScottCrevier
Offline Send Email 		May 12, 2004
11:00 pm

First, Scott, can you share the script that does the daily update? I wrote a script that takes information from the FORMATTED roster that you can get on the...
Christopher Pomasl
pommie_cj
Offline Send Email 		May 13, 2004
12:04 am

Christopher, it sounds like you're in the same position as us. We also wanted to keep track of voice part. The roster updater that I wrote is available at: ...
Scott Crevier
ScottCrevier
Offline Send Email 		May 13, 2004
12:19 am
< Prev Topic  |  Next Topic >
Message #
Search:
Advanced
Copyright © 2009 Yahoo! Inc. All rights reserved.
Privacy Policy - Terms of Service - Guidelines - Help