| * * * * * * * * * * * |
***************************************************************** |
* * * * * * * * * * * |
|
IN MY ACTUAL SAMPLE PASSWORD-ENTRY SYSTEM PAGES |
Two goals are achieved via this solution
(over and above just have a special html page for
each student OR page address hiding): (1) the History of THE page visited
is
NOWHERE, providing protection for the student from others using the same
computer
and (2) the Final Destination page is not known to the student and, given the
two
intermediary pages one goes through first, the teacher may easily change the
Final
Destination page with NO difference in how students, using the SAME password,
get there.
(ALL that MUST remain constant (as shown) is in BLACK PRINT; all that you
MUST
CHANGE **OR** MAY CHANGE is shown in Red OR Purple
Print. ALL this script
and html text, colored or uncolored, may be copied directly from this web page
and Pasted into Notepad or SimpleText to edit or create the needed files.)
ALL THESE PROCEDURES DESCRIBE CHANGES YOU MUST
MAKE TO THE FILES IN THE ZIP
FILE (you obtained via the
link near the bottom of the referring web page); MOST of the changes
are one-time and other code varies VERY little from instance to
instance -- making this system very quick and easy to use:
I. A. First, make the WHOLE html/javascript page,
HomePageLeft-frameSource1.html, read as follows (this you make
only one time and it never needs to be changed):
<html>
<head>
<script type="text/javascript">
var theVar;
var thePW2;
var anotherKey;
// (C) 2003 CodeLifter.com
// Source: CodeLifter.com
// Do not remove this header
// Set the message for the alert box
am = "This function is disabled!";
// do not edit below this line
// ===========================
bV = parseInt(navigator.appVersion)
bNS = navigator.appName=="Netscape"
bIE = navigator.appName=="Microsoft Internet Explorer"
function nrc(e) {
if (bNS && e.which > 1){
alert(am)
return false
} else if (bIE && (event.button >1)) {
alert(am)
return false;
}
}
document.onmousedown = nrc;
if (document.layers) window.captureEvents(Event.MOUSEDOWN);
if (bNS && bV<5) window.onmousedown = nrc;
function FP_changeProp() {//v1.0
var args=arguments,d=document,i,j,id=args[0],o=FP_getObjectByID(id),s,ao,v,x;
d.$cpe=new Array(); if(o) for(i=2; i<args.length; i+=2) { v=args[i+1]; s="o";
ao=args[i].split("."); for(j=0; j<ao.length; j++) { s+="."+ao[j]; if(null==eval(s)) {
s=null; break; } } x=new Object; x.o=o; x.n=new Array(); x.v=new Array();
x.n[x.n.length]=s; eval("x.v[x.v.length]="+s); d.$cpe[d.$cpe.length]=x;
if(s) eval(s+"=v"); }
}
function FP_getObjectByID(id,o) {//v1.0
var c,el,els,f,m,n; if(!o)o=document; if(o.getElementById) el=o.getElementById(id);
else if(o.layers) c=o.layers; else if(o.all) el=o.all[id]; if(el) return el;
if(o.id==id || o.name==id) return o; if(o.childNodes) c=o.childNodes; if(c)
for(n=0; n<c.length; n++) { el=FP_getObjectByID(id,c[n]); if(el) return el; }
f=o.forms; if(f) for(n=0; n<f.length; n++) { els=f[n].elements;
for(m=0; m<els.length; m++){ el=FP_getObjectByID(id,els[n]); if(el) return el; } }
return null;
}
</script>
<title></title>
</head>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"oncontextmenu="return false">
<p> </div>
<div style="position: absolute; width: 100px; height: 300px; z-index: 2; left: 0px; top: 8576px" id="layer2" onkeypress="FP_changeProp(/*id*/'layer2',0,'style.position','absolute','style.left','0','style.top','0')">
<p align="center">Click</p>
<p align="center">Directly</p>
<p align="center">Below </p>
<p align="center">To </p>
<p align="center">Begin</p>
<p align="center"><a href="HomePageright-frameSource2.html" target="rightframe" onmouseover="window.status='Click image to enter password'; return true;" onmousedown="this.click();">
<img src="Image1.gif" alt="Image" border="0"></a>
</p>
<p> </div>
<div style="position: absolute; width: 103px; height: 200px; z-index: 1; left: 0px; top: 0px" id="layer3" onclick="FP_changeProp(/*id*/'layer3',0,'style.visibility','hidden'); FP_changeProp(/*id*/'layer2',0,'style.position','absolute','style.left','0','style.top','0')">
<p align="center">TO SEE THE <br>
IMAGE ICON TO <br>
CLICK: <br>FIRST,Click right HERE <br>
in this Frame.</div>
<p> </div>
</body>
</html>
This html/javascript replaces ALL the code in that file in
the ZIP; in other words,
this is the complete page itself. Some of this left frame code exists
simply to make
sure JavaScript is ON, before even allowing the password textbox to appear.
I. B. Add the following code to the top of HomePageright-frameSource2.html
(in the head before the
<title>) (you do this only
one time and
it never needs to be changed):
<script type="text/javascript">
if(top.document.URL != "http://home.att.net/~online_tools/index.html") {
// <--Change to YOUR address
top.location.replace("index.html");
<-- change page name IF your password
entry page is NOT index.html
}
// (C) 2003 CodeLifter.com
// Source: CodeLifter.com
// Do not remove this header
// Set the message for the alert box
am = "This function is disabled!";
// do not edit below this line
// ===========================
bV = parseInt(navigator.appVersion)
bNS = navigator.appName=="Netscape"
bIE = navigator.appName=="Microsoft Internet Explorer"
function nrc(e) {
if (bNS && e.which > 1){
alert(am)
return false
} else if (bIE && (event.button >1)) {
alert(am)
return false;
}
}
document.onmousedown = nrc;
if (document.layers) window.captureEvents(Event.MOUSEDOWN);
if (bNS && bV<5) window.onmousedown = nrc;
</script>
<title>
A little later in the source code, make the first body tag read:
<BODY LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0
MARGINHEIGHT=0 oncontextmenu="return false">
--------------------------
--------------------------
II. NEW PAGE:
Make the code of the FIRST quick-referrer page (the first one
you
PASS through after entering the password) so it is like the following
(This is a new page you build in Notepad or SimpleText -- Save As
.html and with the second textbox in the Save As Dialog Box set
to "All Files" OR put whatever.html in quotes ("whatever.html");
there is one such page for each Password-Protected Final Destination,
but all of these pages is almost identical ):
(This is a page that has the same name -- before .html -- as the "password".
In the
big example on this page, it is testIt2b.html and thus "testIt2b" is the password in the
example at the bottom.):
<html>
<head><meta name="robots" content="onindex,nofollow"><title> </title>
<script type="text/javascript">
if(top.document.URL != "http://home.att.net/~online_tools/index.html") {
// <--Change to YOUR address
top.location.replace("index.html"); // <-- change page name IF your password
entry page is NOT index.html
}
parent.frames[0].theVar = "43"; //This '43' can be changed, if you want
another constant in your secondPages addresses
var isNav4 = (navigator.appName =="Netscape" && parseInt(navigator.appVersion) == 4);
if (top.location.href == window.location.href) {
if (isNav4){
if(window.innerWidth != 0){
top.location.href = "index.html"; // <-- change page name IF
your password entry page is NOT index.html
}
} else {
top.location.href = "index.html"; // <-- change page name IF your
password entry page is NOT index.html
}
}
function doReplace() {
parent.frames[0].anotherKey = "passworded";
var addrstr = top.window.location.href;
var finDest = (addrstr.substr(0,34) + "secondStep" + parent.frames[0].theVar + ".html");
// see explaination below
location.replace(finDest);
}
</script>
</head>
<body onload="doReplace();" oncontextmenu="return false">
<p> </p>
</body>
</html>
Part of this requires some explanation for YOUR use: In particular, the line beginning,
"var finDest=" :
First: the number 34 should be replaced with the number of characters in the PATH to
any of your web pages
(EXCLUDING the page name itself). For me, this PATH- is
http://home.att.net/~online_tools/ (since that IS
the path MINUS the page name) and it is 34 characters. Your PATH- may well
be a different number of
characters. Now, let me explain the next part of this line: "secondStep"
is the name of the second
intermediary page MINUS the '43' -- you should replace this with the name of
your 2nd intermediary page.
[This is for each instance of a page reached via a password, and thusly for each page
also having an auto
redirect from a page with a name which IS the password (like the page whose code is shown
above).] The
magic "43" is gathered from A LEFT FRAME VARIABLE NAMED , "theVar"
. That goes after the first
part of the page name. And, then finally, the ".html" is tacked
on. That explains that line and you know
how to change it for each password you use.
NOTE: This page now directs users to a A SECOND Referring Page (mine is
called secondStep43.html ),
where users will have to provide a user-chosen second temporary password and
THEN a button to actually
get to the page they
want. ALSO: This first referring page
(above) NOW includes NEW security features so you can only get to it through the
password protected
entry page (mine is index.html). If it does not see itself in a frameset,
it loads the index.html frameset .
(Note: This (ABOVE) is the complete code of this short page; there
is one such page for each password-protected Final Destination
pages -- but ONLY some of the
text in RED
changes, 1 instance to
another.)
-----------------------
-----------------------
AND:
III. NEXT: Another new page:
A second referrer page is associated with each password
protected page (there is
one such page for each Password-Protected
Final Destination; ONLY
some of the text in RED
changes, one
instance to another).:
This is a super simple page with just 2 buttons on it. Its name is what
is important. ALL second step pages
MUST have a '43' in there name (mine is secondStep43.html
) -- or you can chose another number, etc. and
simply replace the '43' in the source code of the page LAST described. Here is the
way all these pages must
be: This is the complete code for a sample page (the only thing you need to change
OR SHOULD CHANGE
is the name of the page and the link).:
<html>
<head>
<meta name="robots" content="onindex,nofollow">
<script language="Javascript1.2">
if(top.document.URL !=
"http://home.att.net/~online_tools/index.html") { // <--Change
to YOUR address
top.location.replace("index.html"); // <-- change page name IF your password
entry page is NOT index.html
}
if(parent.frames[0].anotherKey != "passworded") {
top.location.replace("index.html"); // <-- change page name IF your password
entry page is NOT index.html
}
function setPW() {
var thePW = prompt("Give a PW you will have to know to use the Password-Protected Page",
"!!!Set password!!!");
parent.frames[0].thePW2= thePW;
}
function doReplace() {
var addrstr = top.window.location.href;
var finDest = (addrstr.substr(0,34) + "MacScorer2.htm"); // <--Change
'34' & change to YOUR page name
location.replace(finDest);
}
// The '34' above is the number of characters in the PATH MINUS THE PAGE NAME
(like it was in the
// section above).
// YOU MUST AGAIN CHANGE THIS TO THE NUMBER OF CHARACTERS IN *YOUR* PATH - .
// (C) 2003 CodeLifter.com
// Source: CodeLifter.com
// Do not remove this header
// Set the message for the alert box
am = "This function is disabled!";
// do not edit below this line
// ===========================
bV = parseInt(navigator.appVersion)
bNS = navigator.appName=="Netscape"
bIE = navigator.appName=="Microsoft Internet Explorer"
function nrc(e) {
if (bNS && e.which > 1){
alert(am)
return false
} else if (bIE && (event.button >1)) {
alert(am)
return false;
}
}
document.onmousedown = nrc;
if (document.layers) window.captureEvents(Event.MOUSEDOWN);
if (bNS && bV<5) window.onmousedown = nrc;
</script>
<title> </title>
</head>
<body oncontextmenu="return false">
<p> </p>
<center><p>FIRST:</p>
<input type="button" value="Click to set temporary (session) password" onclick="setPW();" />
<p>THEN:</p>
<input type="button" value="CLICK HERE" onclick="doReplace();" />
</center>
<p> </p>
</body>
</html>
[Of course, you will have to have a number of '43' pages OR one
'43' page
with buttons for all the pages
you want to have password protected. Other possible names for these
pages could be mine143.html,
mine243.html, etc. -- numbers cannot come first in the address
though. Also note: There is script code in
the page (above) that prevents a right click to see the code -- in particular the page
name, otherwise a person
could by-pass the password page and go directly to THIS 'second
page'. This portion of code is also used,
if possible in the head of the Final Destination page (as shown in the
section below).
(Originally I did not add all the script to either the index left frame or the second right-frame source or the
final target page in the final
example BECAUSE I wanted to allow you to be able to view and/or copy the
source of the frames of
the password entry page AND the final page in my example DOES benefit
a bit from
some copy and paste
functionality !!
BUT, because reviewers failed to see the full utility of this solution
without all the code in the example,
I have gone ahead and put that NO-RIGHT-CLICK script code everywhere
I recommend. Most of the
original pages may now only be viewed by downloading the zip. ) ]
(Note: The code (ABOVE) is the complete code of this short page.)
-----------------------
-----------------------
AND:
IV. FINAL DESTINATION PAGES:
Between the head tags of EACH
of the pages ONLY those people who have gone through
the
Password Entry Page are FINALLY
supposed to get to (NOT
counting the 1st and 2nd quick-referrer
page -- i.e. those
covered above), put the following code between the <head> and
</head> tags, and between <script> tags
(this is usually the
very
same exact code for each instance of a Final Destination
page
-- for the only possible exception see the pink
note below,
in
the comment within the code):
<script type="text/javascript">
//THE ADDED CODE IS BETWEEN HERE & ... [BUT also add the top script tag if none exists in your page head]
if(top.document.URL != "http://home.att.net/~online_tools/index.html") { // <--Change
to YOUR address
top.location.replace("index.html"); // <-- change page name IF your password
entry page is NOT index.html
}
if(parent.frames[0].thePW2 == "undefined")
{
top.location.replace("index.html"); // <-- change page name IF your password
entry page is NOT index.html
}
function FP_getObjectByID(id,o) {//v1.0
var c,el,els,f,m,n; if(!o)o=document; if(o.getElementById) el=o.getElementById(id);
else if(o.layers) c=o.layers; else if(o.all) el=o.all[id]; if(el) return el;
if(o.id==id || o.name==id) return o; if(o.childNodes) c=o.childNodes; if(c)
for(n=0; n<c.length; n++) { el=FP_getObjectByID(id,c[n]); if(el) return el; }
f=o.forms; if(f) for(n=0; n<f.length; n++) { els=f[n].elements;
for(m=0; m<els.length; m++){ el=FP_getObjectByID(id,els[n]); if(el) return el; } }
return null;
}
function FP_changeProp() {//v1.0
var args=arguments,d=document,i,j,id=args[0],o=FP_getObjectByID(id),s,ao,v,x;
d.$cpe=new Array(); if(o) for(i=2; i<args.length; i+=2) { v=args[i+1]; s="o";
ao=args[i].split("."); for(j=0; j<ao.length; j++) { s+="."+ao[j]; if(null==eval(s)) {
s=null; break; } } x=new Object; x.o=o; x.n=new Array(); x.v=new Array();
x.n[x.n.length]=s; eval("x.v[x.v.length]="+s); d.$cpe[d.$cpe.length]=x;
if(s) eval(s+"=v"); }
}
function checkSrc(){
if(((parent.frames[0].theVar) == "43") && (parent.frames[0].anotherKey == "passworded"))
//<-- see about '43' above
{
chkPW();
}
else{top.location.replace("index.html");} // <-- change page name IF your
password entry page is NOT index.html
}
function chkPW() {
var theIP = prompt("Provide the temp. password you just set", "");
if(theIP == parent.frames[0].thePW2){
FP_changeProp(/*id*/'theMain',0,'style.visibility','visible');}
else{history.go(-2);}
parent.frames[0].thePW2="undefined";}
}
// *AND*, TO KEEP THE PAGE NAME (ADDRESS) OF A FINAL DESTINATION PAGE
*UNKNOWN*
// ADD THE ADDITIONAL CODE FROM HERE ON IF IT DOES NOT INTERFERE WITH THE
// FUNCTIONALITY OF THIS 'FINAL DESTINATION' PAGE.:
// (C) 2003 CodeLifter.com
// Source: CodeLifter.com
// Do not remove this header
// Set the message for the alert box
am = "This function is disabled!";
// do not edit below this line
// ===========================
bV = parseInt(navigator.appVersion)
bNS = navigator.appName=="Netscape"
bIE = navigator.appName=="Microsoft Internet Explorer"
function nrc(e) {
if (bNS && e.which > 1){
alert(am)
return false
} else if (bIE && (event.button >1)) {
alert(am)
return false;
}
}
document.onmousedown = nrc;
if (document.layers) window.captureEvents(Event.MOUSEDOWN);
if (bNS && bV<5) window.onmousedown = nrc;
//... AND HERE. [BUT also add the bottom script tag if there are no script tags
already in your page head]
</script>
All this is within the script code at the top of MacScorer2.htm (of mine) and
should be at the top (in the head) of
any page you want people to get to only via a password. There happens
to be a lot of other code between
the script tags of MacScorer2.htm (some variable definitions above and some
functions below), but don't let
that worry you -- that is
unique to that page and its functionality. Just near the top of the the
script code
(ON YOUR PAGE) add this code. If there are is no code and no script tags
in the head of your page, add the
script tags AND code (in other words, add everything shown above) in the
<head> of your page.
HERE ARE OTHER CHANGES THAT MUST BE MADE ON EACH OF THE FINAL
DESTINATION
PAGES (to make use of all the security features that have been developed in
these scripts):
CHANGE THE first <body> tag (the <body> tag itself) of each of THESE pages to read:
<body bgcolor="#FFFFFF" text="#000000" onload="checkSrc();"
onunload="parent.frames[0].thePW2='undefined';" oncontextmenu="return false">
AND, directly below this body tag put this line:
<div style="z-index: 1; visibility: hidden" id="theMain">
AND before the last body tag, put: </div>
** NOTE ** : You want to accomplish ALL that you want
private between you and the student/user
of this passworded system on this one Final Destination page WITH NO LIVE
LINKS, BECAUSE
subsequent
pages remain in the history -- i.e. no automatic protection is in place to hide these pages from
subsequent users of a public computer. The ONLY recourse
you have if all cannot be accomplished on
this
one page (without more JavaScript on each Final Destination page) is:
If the student/user is fully and reliably trained on wiping out history and
cache (as described at the bottom of
this web page), you need not worry about the subsequent pages temporarily being
in the History,
BUT, ** OTHERWISE YOU DO **. (Such are the limits of JavaScript as
described in this system, but much
can be done on one page.)
[Technically, you could have links on the Final Destination pages set up so the
linked pages also do not leave a
history: Each of the Final Destination pages with links would have to have
each and every link set up to call a
doReplace() function rather than operating like a normal link. But not
only would this have to be done for every
link on the Final Destination page, but for each link -- if any -- on the
subsequent pages (if they too were to
be kept private). This involves more coding for each page than I wanted to
tell you about. I wanted to keep
things simple with VERY little new or change code being involved going
from one setup of the system to
a second usage.]
--------------------
--------------------
FINAL NOTE: Because, normally, my index.html page can
be reached with either the
address, http://online_tools.home.att.net/index.html
** OR ** by the address,
http://home.att.net/~online_tools/index.html
, the following code has been added to
my index.html page (added right above the <title), in the <head>):
<script type="text/javascript">
if(window.location.hostname != "home.att.net") { // <-- change THIS
to the root of YOUR web domain
top.location.replace("http://home.att.net/~online_tools/index.html");}
//
<-- change this to YOUR address
</script>
This code ensures the full functionality of all the
security code and simplifies some of it.
If you enter via the online_tools.home.att.net address, you are automatically
sent
to the index.html page via the other form of the address (you may or may not
have
to do this depending on what your Internet Service Providers gives you for
addresses
and if a valid address to any given page on your site can take two forms OR not).
BUT NOTE: I am commenting out this
code on my site because the automatic redirect
seems to effect my site listing with GOOGLE. To try my sample
password-protected
entry page, you should approach it from the following address ONLY:
http://home.att.net/~online_tools/index.html.
----------------------
----------------------
----------------------
Now, the effect of trying to go directly to any page that is in the
"password-proctected" system WITHOUT providing
the password, will be the the page sends the person back to the Password Protected Entry Page itself
(i.e. index.html, or whatever you call it).
JavaScript MUST be on .
I BELIEVE THIS IS AN EXCELLENT SOLUTION FOR ANY PEOPLE WHO WANT PASSWORD
PROTECTION OF PAGES WITHOUT INVOLVING THE SERVER (and requiring NO cgi or cgi
rights).
This solution is for teachers without their own COMMERCIAL web sites and
without cgi( server) rights with
their districts or institutions or companies-- which I suspect is most teachers.
To try a sample of this solution, go to http://home.att.net/~online_tools/index.html
and type in
testIt2b and click the button or hit enter. The second step page will come
up and clicking buttons there
will bring you to the MacScorer2.htm page. Try getting there directly or
even via THIS LINK and you
will be brought to the Password Entry Page. With the Solution (above) people "in the know"
possibly can
still figure out what is
going on, but beating this solution involves a lot of JavaScript knowledge AND a
huge break-down of the
"honor system" among your password users. Using the solution, using all
the scripts recommended, is for many practical purposes (where no money is
involved) secure -- esp.
if the some final cautionary behavior, described directly below, is done
when necessary. (This situation is, in
practice, no worse than just having a student keep his/her password secret --
especially if this solution works
as well on other platforms as it does on the PC with Internet Explorer,
Netscape, and Foxfire.)
THIS IS REALLY JUST A NOTE FOR Users of Public Computers: Public
computer
users should be
taught how to routinely delete the history of untested browsers,
since
the final destination page MAY be
somewhere in the history (though some of the other
secret pages will not be) -- at
least until the browser is closed, because this MAY vary by
browser and platform. When using untested browsers/platforms: After a student views
his/her page, they should return to a home page, such as my
http://home.att.net/~online_tools/index.html
and then View --> Explorer Bar -->
History and right click the history list and Delete the History. AND,
Tools -->
Internet Options --> Delete Files should also be done to clear the
cache. ALSO via
that dialog box that comes up from Tools --> Internet Options: Delete Cookies
and
Clear History THERE as well. AND THEN CLOSE THE BROWSER. Only
ALL this
make a subsequent person for sure be UNABLE to get to the final page of the
password
user who just finished using this computer
The reason all this should be done is that even without Browser History, techies
and hackers MAY BE ABLE find stuff in the cache.
****** NEW *******: New features of this
set-of-pages-with-scripting have provided
improvements so NOW viewing the Final Destination page (AS html) requires
JavaScript
be on AND requires knowledge of a temporary session password (set by the user on
the
secondStep page) OR the contents of the page are invisible <-- once the final
destination
page is exited (IN ANY WAY) by the correct password-entry-page user (and
requires the
setting of a new temporary password via the secondStep page to become
visible). These
are good added safeguards and, given the legitimate user simply leaves the
Final
Destination page, all is well for privacy and protection from the vast majority
of other
people.
(Protection from techies and hackers MAY still require the ALL procedures above.)
***********************************
***********************************