is it possible to do web site authentication sans PHP - javascript

I would really enjoy avoiding the use of PHP for authenticating users on a website I'm developing, and I was wondering if I could use a SQL database, Apache sans PHP, HTML, Javascript/JQuery, and CSS to accomplish this? I know it's a far-fetched idea probably... but I would be happy if I could.

PHP is a single web development language, there are tons of options.
Ruby, .Net(C#/VB), Java, Python are some common alternatives.
You could work something out with JavaScript, but it would likely be sacrificing quite a bit of functionality/security.

Apache does have some modules like mod_auth_mysql that let you do authentication, but it doesn't look like it's been updated in awhile. The login box will be a pop-up box from the browser that requests username and password. You won't be able to put a Username/Password box on your page like other sites do.
If your webserver can't handle the authentication, you need some sort of "glue" that goes between your server and the browser to handle the authentication piece. PHP does a good job of that, but any of the languages Ryathal mentions would work as well.
If you do use javascript, remember that all of the source code used to secure your site is visible to whoever has the knowledge to look at it.

Yes you can use authentication methods built in to .htaccess if the right modules are enabled in your Apache installation.
This is only basic http authentication though so you would just get a popup box and you cannot log out unless you close the browser I don't think.
Authentication, Authorization and Access Control - Apache HTTP Server
You would need to use a command line utility called htpasswd to generate the user files.

Related

How To Remove Link From Browsers' "View Page Source" feature?

I have made a simple password protected webpage that provides the link to another webpage when we enter the correct password but we can easily have the webadrress of other page by browsers "View Page Source" feature.So how we can overcome this?
The problem is that you are keeping your secret data on the client and client can easily reach it. So, the only posible way for you is to keep them on the server. But, as far as I understand you need help with server part. So here is small instruction with links to the documentation.
You will need:
Some backend that will take data from your users and returns some responce. I would suggest you to have a look into Node.Js as a platform with Express as a server. Benefit from this setup is that Node.Js uses JavaScript so you have not to learn additional language, and Express is a very simple server to use. Of course, if you want to learn some other languages - you can take C# with ASP.NET MVC framework, PHP or any other nice language.
Some page with form for user's credentials that will post data to your backend. Basic form behavior can be found here
And some code on server that will validate credentials from form and return new page with or without your secret.
That's it. May be it sound a bit scary but there are lots of guides and information your can google.
Hope this helps. Happy coding!
Btw, if you are lloking for the some ready code, I have Node.JS client/server example with TypeScript (JavaScript with type validation) here. All you need is git, hope you already have it, and Node.Js
Then just execute this commands on your console (bash, cmd, etc)
git clone https://github.com/Drag13/typescript-browserify-template
This will download code from remote server to your local machine
npm install
Installs project dependencies - like express server
npm run server
Starts the server
cd..
npm run client
Starts the client
Maybe you will find this helpfull.

Can a JavaScript library included in my HTML make a request to my site using my cookie session?

These days it's very common to include 3rd-party JS dependencies on your front-end project. Some ReactJS component, for example.
Is there anything that could prevent malicious code, bundled along my other dependencies and served by my own server, to, say, delete my account by making a simple AJAX call?
fetch("https://example.com/account", {
method: 'DELETE'
});
If so, does that mean we shouldn't be using cookies at all?
This is a general problem for all open source libraries, both on the backend and frontend.
If an attacker can add malicious code to your frontend, the attacker can do anything your code can do. So cookies or jwt or some other authentication mechanism doesn't really matter much. The attacker could add a backchannel and get control (check http://beefproject.com/ )
This is even worse on the backend, where using backdoored code could potentially lead to someone compromising your server or stealing all your database contents.
With this in mind, you should make sure you are using the right libraries and do some vetting. People have been publishing backdoored versions of common javascript libraries in npm. Example:
https://www.theregister.co.uk/2017/08/02/typosquatting_npm/

HTML coding to authenticate user in the websites

I am having a doubt regarding whether it is possible to authenticate the user with html coding? If it is, I want the html script to authenticate user in my website. Or it is enough to tell me the websites which is offering free user authentication.
with regards
Anand
password and username authentication using javascript is a very bad idea, anyone could just bypass it through your html file or js file. You should use PHP and PDO or mySqli in authenticating users.
HTML is not possible, how about OpenID?
You cannot use pure HTML to create an authentication system, and using client-side JavaScript is not a good idea, for security reasons. To make the authentication system reliable you would have to involve some kind of server-side language like ASP.NET, PHP, Ruby or similar.
If you don't want to do it your self, there are plenty of CMS solutions that has built-in authentication. You could either choose a hosted solution like Wordpress or you could pick any CMS solution you like and host it on your own.
Here are a few to choose from:
http://www.orchardproject.net/ (ASP.NET)
http://drupal.org/ (PHP)
http://wordpress.org/ (PHP)
Microsoft also offer a free hosting solution for Azure websites, where they offer a simple click-to-setup service for a large number of CMS solutions, including above mentioned.
HyperText Markup Language (HTML) is the main markup language for displaying web pages and other information that can be displayed in a web browser.
HTML is just used to output something for the users. You cannot make an authentication system with HTML.
The best and the easiest way of authenticating, is to combine HTML with PHP. You can also do it with any other server side programming language.
You can checkout PHP Login systems, which are very reliable. You can surely grab code snippets that you can use as is.

Running command with browser

I want to have a "control panel" on a website, and when a button is pressed, I want it to run a command on the server (my computer). The panel is to run different python scripts I wrote (one script for each button), and I want to run the panel on my Mac, my iPod touch, and my wii. The best way I see for this is a website, since they all have browsers. Is there a javascript or something to run a command on my computer whenever the button is pressed?
EDIT: I heard AJAX might work for server-based things like this, but I have no idea how to do that. Is there like a 'system' block or something I can use?
Here are three options:
Have each button submit a form with the name of the script in a hidden field. The server will receive the form parameters and can then branch off to run the appropriate script.
Have each button hooked to it's own unique URL and use javascript on the button click to just set window.location to that new URL. Your server will receive that URL and can decide which script to run based on the URL. You could even just use a link on the web page with no javascript.
Use Ajax to issue a unique URL to your server. This is essentially the same (from the server's point of view) as the previous two options. The main difference is that the web browser doesn't change what URL it's pointing to. The ajax call just directs the server to do something and return some data which the host web page can then do whatever it wants with.
On the client side (the browser), you can do it with the simplest approach. Just an html form. javascript would make it nicer for validation and to do ajax calls so the page doesnt have to refresh. But your main focus is handling it on the server. You could receive the form request in the language of your choice. If you are already running python, you could write a super fast cgi python script. Look at the cgi module for python. You would need to put this into the apache server on osx if thats where you will host it.
Unfortunately, your question about exactly how to write it is beyond the scope of a simple answer. But google for how to write and html form, or look at maybe jquery to build a quick form that can make ajax calls easily.
Then search for how to use the python cgi module and receive POST requests.
Javascript is basically for doing work in the browser (usually to render something nice for the end user to look at). What you want (as others have said already) is a way to connect an HTML form action to an action on the webserver "back end". And this is exactly (as RobG has pointed out) what CGI is for. An alternative to CGI which is quite popular with Apache users is mod_python - the difference is basically whether the "back end" operation runs as a standalone process (CGI) or inside a webserver process (mod_python), but for most basic applications your server side scripts don't need to care. And if you're in a shared hosting environment you may not have a choice - ask your sysadmin (or read your hosting service docs) to learn how best to run CGI scripts in this case.
Caveats:
You will probably need fairly elevated webserver admin access & expertise in order to get everything set up the way you want. You will at least need to be able (both in the sense of permissions and technical understanding) to view your webserver logs, edit your webserver configs and bounce (restart) your http service.
Whatever "back end" operations you want done will be done with the permissions/privileges of the webserver, which may not be the same as the permissions/privileges of the user account which you normally use to perform these operations. There are various ways around this (using custom daemons and/or sudo operations), but you really need to have a clear understanding with the webserver sysadmin (if the webserver is exposed to the Big Bad Internet) about how this is going to work before you deploy anything, otherwise you run the very real risk (especially if you are a noob) of making it possible for hackers to exploit your "command gateway" to hack the webserver.
Of course if you're just doing all this for fun on your personal laptop (there is an OSX tag on the question, after all), then you are the webserver sysadmin, and you're free to hack away and happily shoot yourself in the foot repeatedly while learning everything you need to know along the way, which is fine as long as you're not on a network. In this case, you may find this tutorial to be useful.

JavaScript Code Signing

How can a user, using one of the major modern browsers, know for sure that he is running my unmodified javascript code even over an untrusted network?
Here is some more info about my situation:
I have a web application that deals with private information.
The login process is an implementation of a password-authenticated key agreement in JavaScript. Basically during login, a shared secret key is established between the client and the server. Once the user logs in all communication with the server is encrypted using the shared key. The system must be safe against ACTIVE man-in-the-middle attacks.
Assuming that my implementation is correct and the user is smart enough not to fall victim to a phishing attack there remains just one large hole in the system: an attacker can tamper with my application as it is being downloaded and inject code that steals the password. Basically the entire system relies on the fact that the user can trust the code running on his machine.
I want something similar to signed applets but I would prefer a pure javascript solution, if possible.
Maybe I am misunderstanding your problem, but my first thought is to use SSL. It is designed to ensure that you're talking to the server you think you are, and that no one has modified the content midstream. You do not even have to trust the network in this case, because of the nature of SSL.
The good thing about this approach is that you can fairly easily drop it into your existing web application. In most cases, you can basically configure your HTTP server to use SSL, and change your http:// requests to https://.
This is an old, open question but the answers seemed to not do this justice.
https:// provides integrity, not true identification nor non-repudiation.
I direct you to http://www.matasano.com/articles/javascript-cryptography/
Don't do crypto in JS, because a malicious injected script can easily grab passwords or alter the library. SJCL is neat, but it offer a blatantly false sense of security (their quote, and quoted by above)
Unfortunately, this is not as great as in desktop applications
because it is not feasible to completely protect against code
injection, malicious servers and side-channel attacks.
The long-term issue is that JavaScript lacks:
Uniformly working const
The ability to make objects deeply const and not reprototypable.
Code-signing
// codesign: cert:(hex fingerprint) signature:(hex MAC)
Certs would be managed similar to CA certs. MAC would be used with appropriate sign/verify constructions.
Crypto, clipboard stuff are reasons to have JavaScript native plugins (signed, of course)
Getting JavaScript engines to all implement a standard is another thing, but it's doable an it's absolutely necessary to end a large swath of malware.
You could have an external Javascript file which takes an MD5 hash of your login JS, and sends an Ajax request to the server to verify that it is correct and up-to-date. Use basic security or encryption practices here - public/private keys or some other method to be sure that the response came from your server.
You can then confidently display to the user that the client-side scripts are verified, and allow the login script to proceed.

Categories