Javascript user ID code

Question

Here's the code:

<script language="javascript">
<!--//
    function pasuser(form) {
        if (form.user.value=="JavaScript") { 
            if (form.pass.value=="Kit") {              
                location="page2.html" 
            } else {
                alert("Invalid Password")
            }
        } else {  
            alert("Invalid UserID")
       }
    }
//-->
</script>

I keep trying to use just the user ID and not the password but when I remove form.pass nothing works. Am I doing something wrong in the form section?

<input type="text" name="user" id="query" size="5" value=""> 
<input type="button" value="Search" onClick="pasuser(this.form)">

It seems like it would be pretty cut and dry. If I want to just input the user ID, just remove form.pass but that doesn't work. Ive used this script before with the user ID and the pass and it works fine.

Thanks in advance.

Answer 1

I suspect that "it doesn't work" means that location=page2.html fails to change the URL. You should use window.location=page2.html. You may also be using a <input type=submit> - try using a button instead. The code I tested that works fine for me is at the bottom, but first, you've got a couple other problems to deal with.

problem 1: client side security Your first problem is that you've got client side security. Your code is JavaScript, which means it gets executed in a browser (unless you're in the extremely unusual case of a JavaScript interpreter in another situation). That means that the source code is going to be delivered to the end user, where the user can use the browser's built in "View Source" to reveal the username & password. Tricks like disabling view source don't work, by the way - the browser can disable JavaScript (thereby disabling that trick), use wget, use a proxy server (like webscarab) or a browser add on. The user can always get to the source of your page.

problem 2: unprotected "secure" page2.html The second page, where you go after authenticating, may not be protected - after all, all you're doing is asking for a suername & password, then redirecting to the "secure" page. What stops a user from browsing directly to the "secure" page?

problem 3: hard coded credentials You've got a hard coded list of credentials. This means that anyone who uses your software will have the same credentials - different users will be able to log into each others' installations even if they're not authorized to do so. This is often considered a critical risk in real products.

RECOMMENDATION It's good that you're thinking about security, and trying to implement an authentication scheme. If this is something you're interested in, there's lots of research out there - start with wikipedia. You should also look at owasp.org for lots of great information about how security goes bad, and you should play with OWASP's web goat tool - it'll give you hands-on experience learning the various elements that go bad.

code

<HTML>
    <head></head>
    <body>

<script language="javascript">
<!--//
    function pasuser(form) {
        if (form.user.value=="JavaScript") { 
            if (form.pass.value=="Kit") {              
            alert("success");
               window.location = "http://www.google.com/";
            } else {
                alert("Invalid Password")
            }
        } else {  
            alert("Invalid UserID")
       }
    }
//-->
</script>

<form name=f>
    <input name=user value="JavaScript">
    <input name=pass value="Kit"> 

    <input type=button onclick='pasuser(document.forms.f)'>
</body>

Answer 2

Well, correct me if I'm wrong, but could it be that, in removing the pass input field, you didn't add the onclick="pasuser(this.form)" bit to the user ID input field? setting up a jsfiddle would help here.

Anyhow, as far as I can work out, change the pasuser function to jfriend00's solution, and add the onclick bit to the userid field to get this working

Answer 3

It sounds like you just want to remove the password check. If so, you can do that this way:

<script language="javascript">
    function pasuser(form) {
        if (form.user.value=="JavaScript") { 
            location="page2.html"; 
        } else {  
            alert("Invalid UserID");
       }
    }
</script>

I would suggest putting semicolons on the end of your statements too.