有没有办法在不使用服务器端语言的情况下密码保护 HTML 页面?
[英]Is there a way to password protect HTML pages without using a server side language?
问题描述
I have a series of interlinked web pages, and I want to restrict access to these pages by asking the user to provide a login and password.
我有一系列相互链接的网页,我想通过要求用户提供登录名和密码来限制对这些页面的访问。 However, my hosting account currently does not provide any facility for server side scripting - is there any way I can accomplish this objective using only client side scripts?但是,我的主机帐户目前没有为服务器端脚本提供任何工具 - 有什么方法可以仅使用客户端脚本来实现此目标?
I was wondering how the following program works -我想知道以下程序是如何工作的 -
http://www.myzips.com/software/HTML-Password.phtml http://www.myzips.com/software/HTML-Password.phtml
Clarification: Thanks for your inputs.澄清:感谢您的投入。 However, if I am configuring the web server, then is there a possibility of the user entering an username and password?但是,如果我正在配置 Web 服务器,那么用户是否有可能输入用户名和密码?
10 个解决方案
解决方案1
10 已采纳 2009-01-13 13:12:52
There is no way to create a secure clientside script.无法创建安全的客户端脚本。 If the user has access to it, it's insecure.如果用户有权访问它,则它是不安全的。
If your host is running apache you can secure folders using .htaccess, on IIS you can do the same through directory security.如果您的主机正在运行 apache,您可以使用 .htaccess 来保护文件夹,在 IIS 上,您可以通过目录安全来执行相同的操作。
解决方案2
7 2015-06-23 21:15:12
Below is a working solution to this problem that uses encryption, which I implemented myself.以下是我自己实现的使用加密的此问题的有效解决方案。
A few users here have suggested using an encryption-based approach to client-side password protection.这里的一些用户建议使用基于加密的方法来保护客户端密码。 I needed this functionality too, so I implemented it myself.我也需要这个功能,所以我自己实现了。 The password is hashed using PBKDF2 and then used to encrypt the page with AES256.密码使用 PBKDF2 散列,然后使用 AES256 加密页面。
The tool is hosted here:该工具托管在这里:
https://www.maxlaumeister.com/pagecrypt/ https://www.maxlaumeister.com/pagecrypt/
with source code available here:此处提供源代码:
https://github.com/MaxLaumeister/pagecrypt https://github.com/MaxLaumeister/pagecrypt
Description of the project, from the project page:项目描述,来自项目页面:
PageCrypt - Password Protect HTML
This tool lets you securely password-protect an HTML file.
Has no server-side components (this tool and its password-protected pages run entirely in javascript).
Uses strong encryption, so the password-protection cannot be bypassed.
All you need to do is choose an HTML file and a password, and your page will be password-protected.
解决方案3
5 2009-01-13 13:17:16
You can create a file .htaccess with something like this :您可以使用以下内容创建文件 .htaccess:
AuthUserFile path/to/password.txt
AuthGroupFile /dev/null
AuthName "Acces Restreint"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
You then have to create the .htpasswd file.然后您必须创建 .htpasswd 文件。
解决方案4
4 2009-01-13 13:59:13
It is possible to implement this, although you'd probably find it easier to simply switch to a different hosting provider.可以实现这一点,尽管您可能会发现简单地切换到不同的托管服务提供商会更容易。 Here's how it's possible:这是可能的:
First, encrypt the entire body with a symmetric encryption algorithm and a random key (the master key).首先,使用对称加密算法和随机密钥(主密钥)对整个主体进行加密。 Store this ciphertext in a javascript block as text.将此密文作为文本存储在 javascript 块中。
For all your users, generate a javascript hash mapping their username onto an encrypted copy of the master key (encrypted with each users key).对于所有用户,生成一个 javascript 哈希,将他们的用户名映射到主密钥的加密副本(使用每个用户密钥加密)。
Finally, create a web page asking for username and password.最后,创建一个要求用户名和密码的网页。 Once they're entered, use the username to locate the encrypted master key.输入后,使用用户名查找加密的主密钥。 Decrypt that with the password the user typed in and use the resulting master key to unlock the original body.使用用户输入的密码解密,并使用生成的主密钥解锁原始主体。 Use javascript to replace the existing html body with the decrypted one.使用 javascript 将现有的 html 正文替换为解密后的正文。
解决方案5
0 2009-01-13 13:15:37
I don't know about client side scripts but you can use the web server to restrict access to your site.我不知道客户端脚本,但您可以使用 Web 服务器来限制对您网站的访问。
In IIS you can use "directory security" tab settings: configure IIS Web site authentication在 IIS 中可以使用“目录安全”选项卡设置:配置 IIS 网站身份验证
解决方案6
0 2009-01-13 13:23:02
If there was one and only one password for EVERYbody, you could try a public key-type approach.如果每个人只有一个密码,您可以尝试一种公钥类型的方法。 You could provide a simple script for performing RSA decryption (you'd need to do the original encryption somewhere where you have access to some type of programming software).您可以提供一个简单的脚本来执行 RSA 解密(您需要在可以访问某种类型的编程软件的地方进行原始加密)。 Then, you could supply the content as an encrypted string.然后,您可以将内容作为加密字符串提供。 You'd display a password box, the user would type the password,then the string would be decrypted according to the password.你会显示一个密码框,用户输入密码,然后根据密码解密字符串。 If the password is correct, the string will decrypt correctly, and the page will show.如果密码正确,字符串将正确解密,并显示页面。 Otherwise, the page will look like a bunch of garbage.否则,页面将看起来像一堆垃圾。 Be careful, though, because this client-side method would be very vulnerable to brute-force.但是要小心,因为这种客户端方法很容易受到蛮力攻击。
解决方案7
0 2009-01-13 13:27:21
Sure, if security is not a big deal.当然,如果安全不是什么大问题。 Essentially, you will be putting up a door that says "Please don't come in if you don't know the password".从本质上讲,您将放置一扇门,上面写着“如果您不知道密码,请不要进来”。 Anything that does not use server-side technology is likely using JavaScript, along with a file in a protected directory to store the passwords.任何不使用服务器端技术的东西都可能使用 JavaScript,以及受保护目录中的文件来存储密码。 This is not password protection, however.然而,这不是密码保护。 JavaScript can be disabled, which will cause the page to load.可以禁用 JavaScript,这将导致页面加载。 No doubt, this will be countered by hiding the content...but the content will still be viewable through the source.毫无疑问,这将通过隐藏内容来解决……但内容仍然可以通过源查看。 There are a few other ways, but if you have content that is truly worth protecting with a password, this is not a good way to go.还有其他一些方法,但如果您有真正值得用密码保护的内容,这不是一个好方法。
解决方案8
0 2009-01-13 13:35:39
Yes it is possible but it's not very pretty or even very good.是的,这是可能的,但它不是很漂亮,甚至不是很好。
- Your index page has an empty div where your restricted content will go.您的索引页有一个空的 div,您的受限内容将在其中放置。
- On page load or a link being clicked, a prompt (window.prompt) asks for your password.在页面加载或点击链接时,提示 (window.prompt) 要求您输入密码。
- Your password is hashed and compared to a stored hash ( or array of hashes ) of the correct password in your script.您的密码被散列并与脚本中正确密码的存储散列(或散列数组)进行比较。
- If you have a match you load the content into the div via AJAX如果您有匹配项,则通过 AJAX 将内容加载到 div 中
- You could store the password in a cookie so it isn't prompted for each time ( not very secure but then this isn't a very secure system )您可以将密码存储在 cookie 中,这样就不会每次都提示它(不是很安全,但这不是一个非常安全的系统)
- You're still not all that secure because the filenames of the pages you'll be loading will be visible in your script but it might keep a very casual surfer out.您仍然不是那么安全,因为您将加载的页面的文件名将在您的脚本中可见,但这可能会使非常随意的冲浪者望而却步。
- You could obfusticate the urls thereby requiring some JavaScript knowledge to view.您可以混淆 url,从而需要一些 JavaScript 知识才能查看。 eg rot13例如 rot13
You will need a JavaScript hashing script您将需要一个JavaScript 散列脚本
解决方案9
0 2009-01-13 13:42:41
Or you could use a cryptic html-filename as the password and ajax in / browse to that page if it exists :-)或者你可以使用一个神秘的 html 文件名作为密码和 ajax 在 / 浏览到该页面(如果存在):-)
Just as secure (or unsecure) as the other suggestions, but probably easier to implement.与其他建议一样安全(或不安全),但可能更容易实施。
解决方案10
0
You don't need public key for this - in fact public key decryption is limited to encrypting other symmetric keys and certificates in practice because its computationally very expensive.为此,您不需要公钥——实际上,公钥解密仅限于加密其他对称密钥和证书,因为它在计算上非常昂贵。 You just need a shared secret.你只需要一个共享的秘密。
Encrypt the webpages using AES (for instance), using a key derived from the passphrase (by hashing).使用 AES 加密网页(例如),使用从密码短语派生的密钥(通过散列)。 You then have to securely communicate the pass phrase to the user(s) and write some javascript to download the encrypted content, prompt for a passphrase, decrypt the data and incorporate it into the DOM.然后,您必须将密码安全地传达给用户并编写一些 javascript 来下载加密内容、提示输入密码、解密数据并将其合并到 DOM 中。
Its all rather messy and very brittle - only one password for all users, as soon as its compromised you have to replace the stuff on the server and hope against hope that google hasn't cached it... Suggest you move to a real ISP它相当混乱而且非常脆弱——所有用户只有一个密码,一旦它受到威胁,你就必须更换服务器上的东西,并希望谷歌没有缓存它......建议你转向真正的 ISP
As to the HTML password program you refer to, there's no way to know its not snake-oil or broken... The phrase "best security with strong algorithms" is not exactly encouraging!至于你所指的 HTML 密码程序,没有办法知道它不是万能的或坏的……“强算法的最佳安全性”这句话并不令人鼓舞!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.