The idea for this technique came from Jonathan Brazil.
Before anyone enters the protected page you show a page with a form where the user enters his name and password. When this form is submitted the browser takes you to a page with a name derived from these fields. This page contains a META element that sends the browser to the protected page.
The advantage for this solution over the second one is that the valid userid's and passwords aren't stored inside the script itself. The disadvantage is that you must create an in-between page for every valid userid/password combination.
This is the page where the user enters his/her userid and password:
When the button is used you are sent to a page called:
check + [userid] + [password] + .html
For example, entering "rob" and "secret" will try to load the page called
checkrobsecret.html (try it now and see it work).
This page must exist on the server and must redirect the user to the protected page. If the user enters a non-valid combination the browser tries to load a page that doesn't exist and the server will return an error message (404 Not Found).
You don't have to set up a separate page for everyone you want to allow access, you could create a fixed number of pages and give one combination to someone you allow access.
By using a prefix for all the pages that are used as a protection, like
check you can keep a better overview of the valid combinations.
Back to the FAQ main page