PHPers rejoice.. keep your JavaScript secure!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

PHPers rejoice.. keep your JavaScript secure!

Post by Gen-ik »

I've been working on a way to do this for the last couple of days and then while watching the matrix reloaded (again) it suddenly clicked.

You can use PHP and sessions() to keep your JavaScript code secure... check out the following files (my test files) to see how it's done.


PHP PAGE (set-up your session variable)

Code: Select all

<?
session_start();
if(!session_is_registered('access'))
{
session_register('access');
$access = true;
}
?>

<html>
<head>

<script language="JavaScript" src="SCRIPT.php"></script>

</head>
</html>

JAVASCRIPT FILE aka SCRIPT.php

Code: Select all

<?
session_start();
if($access)
{
header("Content-type: text/javascript");
?>

//any javascript can go in here
alert("woohoo it works at last!");

<?
$access = false;
}
?>

Now when the main page runs it will load the javascript file as it should.. however, when someone tries to access the script.php file directly in order to try and steal your code they won't be able to because it will just spit out a blank page.


I'm happy now :D

Hope it comes in useful for someone else.



PS. You may need to re-jig the code a little bit if your server doesn't allow global_variables to be used.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

However can't they still steal your javascript if they do a view source on a page after its loaded?....
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

No they can't.

When you include JavaScript using <script language="javascript" src="whatever.js"></script> then that line of code is shown in the page when someone views the page source... the javascript contained in the loaded file does not get displayed in the source.

Give it a try and you'll see what I mean.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Interesting.... However at some point the JS must be sent to the browser. At that point someone can capture it, but they may have to play around with either their cache or temp folders.

So this stops lazy theives, but not slightly more sophisticated ones....
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

if they're looking through the temp/cache files, my guess is they do rograming and they are trying to do something that you've done and want to fix their code, or that they're script kiddies


in the case of the former i think it's more likely that they'll e-mail you than look through the cache...and if you're here, i bet you'd help them fix their code :-P
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

nielsene wrote:Interesting.... However at some point the JS must be sent to the browser. At that point someone can capture it, but they may have to play around with either their cache or temp folders.

So this stops lazy theives, but not slightly more sophisticated ones....

I've been trying to 'hack' this method of securing JavaScript files myself over the last hour just to check it out and so far haven't found a way around it. I guess the only time someone could get access to the 'secure' script is during the time that the session() variable is set and the time that the end of the included() file is reached.

This time-window is very very tiny however and it would close again before someone would access the 'secure' script directly.

It may not be 100% secure but it is the most secure way of doing it that I have found so far... and believe me I've been trying to secure JS files for years!
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

m3rajk wrote:if they're looking through the temp/cache files, my guess is they do rograming and they are trying to do something that you've done and want to fix their code, or that they're script kiddies


in the case of the former i think it's more likely that they'll e-mail you than look through the cache...and if you're here, i bet you'd help them fix their code :-P

This is true, but helping someone out with a small bit of JavaScript and allowing some random person to get their hands on some hardcore JS code and functions that I have created myself are two different things.

If the code I have written is your average stuff found on most websites then I not bothered about people accessing it.. if I have spent hours (even days) writting custom code and dedicated functions for my websites though then I prefer people not to get their grubby mits on it :)
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

understood and agreed.

it's also quite a different thing to help someone FIX their code than it to write it for them. the former being a way of teaching, especially if you explain what's wrong instead of actually giving the code. (forcing them to display and understanding of the explanation to get it working)

but when they just take code....
or worse, expect you'll just write it when they ask for something (exception: they're paying you)....
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Nice idea, Gen-Ik. Another way to simply break your protection of javascript include-files would be to rip the entire page, IE "Save Entire Page" or Mozillas "Save Entire Page" or Leech.
But as you say, it's a nice protection from casual cut'n pasters.

Personally, while I am not Richard Stallman, I do think code should be free. I have certainly learnt a great deal by looking at other people's code, freely available on the web.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

patrikG wrote:Nice idea, Gen-Ik. Another way to simply break your protection javascript include-file would be to rip the entire page, IE "Save Entire Page" or Mozillas "Save Entire Page" or Leech.

Nope, doing that won't get you any closer to the 'secure' JavaScript either. If you try this you will find that the script file is saved as a .htm page but it doesn't contain any JavaScript.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

I would find that very odd - usually all client-side includes are saved or leeched as well. Do you have something up I can test this on?
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Yep I've just set it up on-line if you want to check it out.

Point your browser to http://www.urbanchaos.net/test/
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Firebird shows a javascript error, IE saves everything, including the javascript-file my_script.php

containing:

Code: Select all

alert("This alert comes to you from the secured JavaScript file.");
So, yes, your script offers some protection (as said above), but anyone who is a little bit determined can fetch it without problem.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

That's odd because it's not downloading the JavaScript when I try it.. which version of IE are you using and which platform (PC/MAC) ?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

IE 5 on Windows 98. Mozilla saved the "secured" version, only containing the text "you are not allowed...".
I guess it's a difference in how the different browsers access it. I believe that IE saves from its temp-folder, while Mozilla requests the page either new or tries to download each part seperately.

Have you tried

Code: Select all

header("Cache-control: private");
That may help.
Post Reply