Here's a little brain teaser for you all.

A client wants a secure members only area of thier website with username/password access control, however the sites web host does not support any form of server side scripting or htaccess and to complicate matters further the client will not or cannot move host.

How would you code it?

Recommended Answers

All 9 Replies

I wouldn't code anything. It's impossible.


passwords can be md5 hashed and only the md5 is sent to the browser, to be compared with a generated md5 of what the user enters,

it can always be spoofed
I agree with twiss impossible

access dependent on

secure fits into this description precisely where?

Access to any site is dependant on somebodies server, with the amount of redundancy in the Yahoo network this makes them more reliable not less.

As for your skepticism it's understandable, remember the Pipe being used in the demo initially was for educational purposes. However just for you have now tweeked it and reset the passwords, feel free to take another hack at it.

PS: using a script to brute-force or dictionary attack the input fields is possible, there is however a 200 requests per IP limit imposed by Yahoo and a 1 hour block if these are breeched.

Well, these limits show that this method is not secure, nor scalable.

Assuming a nine character password that's roughly 2,088,270,645,760 combinations and you can only try 200 attempts every 600 seconds. You might want to get a calculator!

As for the scalability I don't see any problem. Remember this has been built using a service intended for creating RSS mashups so there are some things it will not let you do lol

Sure, but that's not my point. You shouldn't need to impose such limits, it shows that this is not really a secure solution.

Surely, these limits are not the issue. It's the involvement of a 3rd party in the provision of a "security layer".

That said, this is something I was unaware of, so I am grateful for the post.


Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.