Javascript Disabled Redirect?

Report · Oct 12, 2007

Background:
I am using IIS 5 with Microsoft Access DB. Im coding ASP/Javascript.

I currently have a login.asp page which handles Username and Password Authentication. No Javascript functions are on this page. I do have a script that detects if their browser has javascript disabled.

i.e.

<noscript><p><span style="color:#FFFFFF; font-weight:bold; padding:2px; background-color:#FF0000">This site requires javascript to be enabled.<br />If you do not enable javascript in your browser settings, some functions will not work properly.</span></p></noscript>
</div>

This is all fine and dandy but it doest affect the user from proceeding once they put in their username and password. Once they are authenticated, the user is redirected to a index.asp page.

After my login.asp page, I have several pages within my site which I do use javascript for some of my functions.

So, how do I prevent my user from proceeding past my login.asp page if their browser has javascript disabled.

I thought of changing my login.asp to have the NOSCRIPT tag to have a redirect to another login1.asp page, but if a malicious attacker looked at the source page of login.asp, it would no how to bypass my NOSCRIPT redirect tage and go straight into my login1.asp page thus still enable them to login in with javascript disabled.

Should I recode my login page to use a javascript function before continuing? if so what would you suggest?

Thanks in advance.

Report · Oct 12, 2007

Make the login link point to a NO JAVASCRIPT page, that has a javascript
redirect on it to the login page. If javascript is disabled, they never get
to the login page.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================

"chazter6" <webforumsuser@macromedia.com> wrote in message
news:feo5sr$5jo$1@forums.macromedia.com...
> Background:
> I am using IIS 5 with Microsoft Access DB. Im coding ASP/Javascript.
>
> I currently have a login.asp page which handles Username and Password
> Authentication. No Javascript functions are on this page. I do have a
> script
> that detects if their browser has javascript disabled.
>
> i.e.
>
> <noscript><p><span style="color:#FFFFFF; font-weight:bold; padding:2px;
> background-color:#FF0000">This site requires javascript to be enabled.<br
> />If
> you do not enable javascript in your browser settings, some functions will
> not
> work properly.</span></p></noscript>
> </div>
>
>
> This is all fine and dandy but it doest affect the user from proceeding
> once
> they put in their username and password. Once they are authenticated, the
> user
> is redirected to a index.asp page.
>
> After my login.asp page, I have several pages within my site which I do
> use
> javascript for some of my functions.
>
> So, how do I prevent my user from proceeding past my login.asp page if
> their
> browser has javascript disabled.
>
> I thought of changing my login.asp to have the NOSCRIPT tag to have a
> redirect
> to another login1.asp page, but if a malicious attacker looked at the
> source
> page of login.asp, it would no how to bypass my NOSCRIPT redirect tage and
> go
> straight into my login1.asp page thus still enable them to login in with
> javascript disabled.
>
> Should I recode my login page to use a javascript function before
> continuing?
> if so what would you suggest?
>
> Thanks in adance.
>

Report · Oct 12, 2007

quote:

Originally posted by: Murray *ACE*
Make the login link point to a NO JAVASCRIPT page, that has a javascript
redirect on it to the login page. If javascript is disabled, they never get
to the login page.

I have thought of that, but if I think this through, the NO Javascript page's source code can show the user where the redirect is going. That so called "Malicious user" could still then input directly in the browser my logon.asp page with Javascript disabled, thus still able to login.

Report · Oct 12, 2007

.oO(chazter6)

> Should I recode my login page to use a javascript function before continuing?
>if so what would you suggest?

My suggestion - make the site work _without_ JavaScript.

Micha

Report · Oct 12, 2007

quote:

Originally posted by: Michael Fesser
My suggestion - make the site work _without_ JavaScript.

So far, I havnt had any complaints from users because they want to use the site without javascript enabled. But, I do want to cover my basis just in case, if for some reason they turn it off. I want to prevent them from going into my site. For now, it would take me awhile to rewrite and do away with thses javascript functions so the site wont be so dependent. As time goes by, I am learning when to use javascript and not too. Unfortunately this site I am referring to is an old one for the company I work for.

Report · Oct 12, 2007

On the login page you could use a javascript function to write a value to a
hidden box. In ASP you could detect, after the login, that value to
determine if the browser had javascript enabled.

--
Jules
http://www.charon.co.uk/charoncart
Charon Cart 3
Shopping Cart Extension for Dreamweaver MX/MX 2004

Report · Oct 12, 2007

quote:

Originally posted by: Julian Roberts
On the login page you could use a javascript function to write a value to a
hidden box. In ASP you could detect, after the login, that value to
determine if the browser had javascript enabled.

That is a idea, but what can I define in the javascript function that can be passed onto a hidden field that the malicious user cant figure out to bypass it. If I define it in a javascript function, the source code will tell the "Malicious User" what is my goal for that hidden field. But if I can figure out something to pass, then the index.asp page can look for that value and if it doesnt match, I will use a RESPONSE.REDIRECT. What would you suggest?

Report · Oct 13, 2007

Sometimes, for certain functionality, there is no alternative but to use
Javascript Michael. If you need that sort of functionality then you MUST use
Javascript. Besides, there are plenty of very large and established sites
that make good use of Javascript. If you write off Javascript then you also
write off related technologies such as AJAX.

Pat.

"Michael Fesser" <netizen@gmx.de> wrote in message
news:s79vg394tmahb424cjqjdp5v20armfapt6@4ax.com...
> .oO(chazter6)
>
>> Should I recode my login page to use a javascript function before
>> continuing?
>>if so what would you suggest?
>
> My suggestion - make the site work _without_ JavaScript.
>
> Micha

Report · Oct 13, 2007

.oO(Pat Shaw)

>Sometimes, for certain functionality, there is no alternative but to use
>Javascript Michael.

IMHO most really important things can also be done with server-side
scripts if JS is not available. It will often be much slower and more
complex, but it's possible. I'm not talking about such stuff like "Spry"
effects, scrolling or fading images and such - these are only eye candy.
If they are not there, the site can still work. It's the most basic
functionality of a site that shouldn't entirely rely on JS, because
there's always a non-JS alternative (at least I haven't seen anything
yet that would not have been possible in a similar way without JS).

>If you need that sort of functionality then you MUST use
>Javascript. Besides, there are plenty of very large and established sites
>that make good use of Javascript. If you write off Javascript then you also
>write off related technologies such as AJAX.

No question, AJAX can make many things much more convenient and easier
to use, but after all it just sends another request to the server and
fetches some data. Nothing special. Server-side scripts could often do
the same work and already deliver the final page.

Take for example some map services like Google Maps (even if this is a
rather bad example). It's quite common to use AJAX techniques, so the
user is able to seamlessly drag the whole map around, while the script
automatically loads the next required tiles in the background. Quite
nice of course. But this is nothing that would really require JS. The
better services also provide a non-JS alternative - you just have to
click a link to move the map one or more tiles in any direction. Then
the server sends the new page back. Not as nice and convenient as the
JS-version, but still completely usable.

And that's my whole point: JS yes - for additional features or to
improve the usability, but not a requirement to make the site work.

YMMV.

Micha

Report · Oct 14, 2007

>And that's my whole point: JS yes - for additional features or to
>improve the usability, but not a requirement to make the site work.

Yes, I agree 100%. The problem is that in most cases by providing the extra
functionality, you automatically make the site reliant on it. Either that or
the user experience is crap because the site appears to be broken. I think
you really have to decide to go with JS or not go with JS and adhere to your
choice throughout the entire site.

"Michael Fesser" <netizen@gmx.de> wrote in message
news:pif1h359e9a1sq7nfrs0gbn2i02pqucm0a@4ax.com...
> .oO(Pat Shaw)
>
>>Sometimes, for certain functionality, there is no alternative but to use
>>Javascript Michael.
>
> IMHO most really important things can also be done with server-side
> scripts if JS is not available. It will often be much slower and more
> complex, but it's possible. I'm not talking about such stuff like "Spry"
> effects, scrolling or fading images and such - these are only eye candy.
> If they are not there, the site can still work. It's the most basic
> functionality of a site that shouldn't entirely rely on JS, because
> there's always a non-JS alternative (at least I haven't seen anything
> yet that would not have been possible in a similar way without JS).
>
>>If you need that sort of functionality then you MUST use
>>Javascript. Besides, there are plenty of very large and established sites
>>that make good use of Javascript. If you write off Javascript then you
>>also
>>write off related technologies such as AJAX.
>
> No question, AJAX can make many things much more convenient and easier
> to use, but after all it just sends another request to the server and
> fetches some data. Nothing special. Server-side scripts could often do
> the same work and already deliver the final page.
>
> Take for example some map services like Google Maps (even if this is a
> rather bad example). It's quite common to use AJAX techniques, so the
> user is able to seamlessly drag the whole map around, while the script
> automatically loads the next required tiles in the background. Quite
> nice of course. But this is nothing that would really require JS. The
> better services also provide a non-JS alternative - you just have to
> click a link to move the map one or more tiles in any direction. Then
> the server sends the new page back. Not as nice and convenient as the
> JS-version, but still completely usable.
>
> And that's my whole point: JS yes - for additional features or to
> improve the usability, but not a requirement to make the site work.
>
> YMMV.
>
> Micha

Report · Oct 17, 2007

I had a user from another forum help me with a solution.

This will solve my dilemma.

< form action="redirect_nojs.htm" method="post">

<input type="submit" value="Proceed with login" onclick="this.form.action='validate_js.asp';">
</form>

My validate_js.asp will check javascript functionality again. If they stop the submit form process to my validate_js.asp and turn off javascript, it checks for javascript disabled again and if it is not disabled, I have an ASP Response.Redirect to take them into my index.asp page, otherwise take them to the redirect_nojs.htm. Then all my pages within my site has a <noscript> tag which checks for disabled javascript function and does a redirect to my redirect_nojs.htm page which states that they must have Javascript enabled.

I appreciate everyone's insight on the use of Javascripting in my functions. Now I know the difference of using for enhancement. As I recode this site, it wont be dependent on it. I will use server-side validation on my form variables.