Here's a little brain teaser for you all.

A client wants a secure members only area of thier website with username/password access control, however the sites web host does not support any form of server side scripting or htaccess and to complicate matters further the client will not or cannot move host.

How would you code it?

6 Years
Discussion Span
Last Post by Airshow


passwords can be md5 hashed and only the md5 is sent to the browser, to be compared with a generated md5 of what the user enters,

it can always be spoofed
I agree with twiss impossible


Access to any site is dependant on somebodies server, with the amount of redundancy in the Yahoo network this makes them more reliable not less.

As for your skepticism it's understandable, remember the Pipe being used in the demo initially was for educational purposes. However just for you have now tweeked it and reset the passwords, feel free to take another hack at it.

PS: using a script to brute-force or dictionary attack the input fields is possible, there is however a 200 requests per IP limit imposed by Yahoo and a 1 hour block if these are breeched.

Edited by Sogo7: n/a


Assuming a nine character password that's roughly 2,088,270,645,760 combinations and you can only try 200 attempts every 600 seconds. You might want to get a calculator!

As for the scalability I don't see any problem. Remember this has been built using a service intended for creating RSS mashups so there are some things it will not let you do lol


Sure, but that's not my point. You shouldn't need to impose such limits, it shows that this is not really a secure solution.


Surely, these limits are not the issue. It's the involvement of a 3rd party in the provision of a "security layer".

That said, this is something I was unaware of, so I am grateful for the post.


Edited by Airshow: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.