Password Protection Using JavaScript

Stephen Yagielowicz

Sometimes you may wish to allow friends, sponsors, and other visitors who are not "members" to enter your protected member's area without having to 'join' your site. While most pay sites can easily setup 'guest accounts,' AVS sites (among others) are not as fortunate. Here's an easy solution with many intriguing possibilities:

Whether you want to allow a sponsor or content provider access to your protected content area for program compliance verification, or a reviewer to evaluate your design, or you just want to give your friends free porn, there are many times when having a 'reasonably' secure gateway can come in handy. I have used this simple method in the past for all of the above reasons, as well as to protect 'under construction' or 'Beta' areas of my projects, as well as online 'admin' and 'stats' areas within my various operations.

Builders of AVS sites are one group of Adult Webmasters who will doubtless see the value of this approach, since they usually have only one 'master password' and may be quite reluctant to reveal it for any of the above purposes, as it usually gives the user access to your AVS stats and admin functions, plus a level of 'involvement' that is the rough equivalent of 'sysadmins' doling out 'root' access to everyone: Since many Adult Webmasters do not implement .htaccess-based directory protection, simply handing out the member's area URL is by far the easiest option, but making a more attractive and professional looking 'guest pass' page is a much better approach.

The Problem (and Solution) when Using JavaScript
While JavaScript based security implementations are at best 'limited' in their efficiency, there are times when they pose the best option, and if done correctly, can provide a major stumbling block for would-be intruders. Many if not most of the implementations that I have seen embedded the password within the script itself, and used a simple comparison of the entered value with the embedded value to allow or deny access. The main problem with this approach is that a simple 'view source' will reveal the gateway page's underlying HTML, including the password itself.

My approach does not include the password within any of the HTML code, and it even allows for multiple passwords that will provide access to different pages. How? The code takes the entered value, and tacks on a file extension (like '.htm' '.html' or '.php' etc.) before redirecting the visitor to the specified page. Flexible and cunning, the use of 'real' passwords for page names such as "a0032P.html" rather than "members.html" will add a tremendous level of enhanced security to this approach, since any 'guessed' name will result in access to pages with that name.

The possibilities are many, the code, simple:


SCRIPT language="JavaScript"

!--- JavaScript Gateway

function gateway() {

var password = document.gate.password.value;
var location=password + ".html";
this.location.href = location;


// JavaScript Gateway ---



FORMname="gate" TABLE align=center border=0 TR
TD INPUT type="password" name="password" size=20 /TD
TD INPUT type="button" value="ENTER" name="enter" onclick="gateway()" /TD

/BODY /HTML There are many interesting uses for this script, and a little experimentation can go a long way.

Realize that any 'wrong' (or failed) entries will generate a '404' error, and so you should always include an .htaccess redirect based on this. You should also be aware that since this client-side approach does require JavaScript to be enabled on the visitor's end, not everyone will be able to use it (although the vast majority will). There are many interesting uses for this script, and a little experimentation can go a long way.

Sure, this type of approach could also be easily (and more robustly) done using php, but not all ISPs (and especially not all free hosts) support this server-side technology, and the way I did it is an easy method for anyone to implement. If you have any questions or comments on the use or abuse of this script, then click on the link below: ~ Stephen