Page 1 of 5

PHPers rejoice.. keep your JavaScript secure!

Posted: Sat Aug 02, 2003 2:07 pm
by Gen-ik
I've been working on a way to do this for the last couple of days and then while watching the matrix reloaded (again) it suddenly clicked.

You can use PHP and sessions() to keep your JavaScript code secure... check out the following files (my test files) to see how it's done.


PHP PAGE (set-up your session variable)

Code: Select all

<?
session_start();
if(!session_is_registered('access'))
{
session_register('access');
$access = true;
}
?>

<html>
<head>

<script language="JavaScript" src="SCRIPT.php"></script>

</head>
</html>

JAVASCRIPT FILE aka SCRIPT.php

Code: Select all

<?
session_start();
if($access)
{
header("Content-type: text/javascript");
?>

//any javascript can go in here
alert("woohoo it works at last!");

<?
$access = false;
}
?>

Now when the main page runs it will load the javascript file as it should.. however, when someone tries to access the script.php file directly in order to try and steal your code they won't be able to because it will just spit out a blank page.


I'm happy now :D

Hope it comes in useful for someone else.



PS. You may need to re-jig the code a little bit if your server doesn't allow global_variables to be used.

Posted: Sat Aug 02, 2003 2:10 pm
by nielsene
However can't they still steal your javascript if they do a view source on a page after its loaded?....

Posted: Sat Aug 02, 2003 2:33 pm
by Gen-ik
No they can't.

When you include JavaScript using <script language="javascript" src="whatever.js"></script> then that line of code is shown in the page when someone views the page source... the javascript contained in the loaded file does not get displayed in the source.

Give it a try and you'll see what I mean.

Posted: Sat Aug 02, 2003 2:48 pm
by nielsene
Interesting.... However at some point the JS must be sent to the browser. At that point someone can capture it, but they may have to play around with either their cache or temp folders.

So this stops lazy theives, but not slightly more sophisticated ones....

Posted: Sat Aug 02, 2003 3:13 pm
by m3rajk
if they're looking through the temp/cache files, my guess is they do rograming and they are trying to do something that you've done and want to fix their code, or that they're script kiddies


in the case of the former i think it's more likely that they'll e-mail you than look through the cache...and if you're here, i bet you'd help them fix their code :-P

Posted: Sat Aug 02, 2003 4:29 pm
by Gen-ik
nielsene wrote:Interesting.... However at some point the JS must be sent to the browser. At that point someone can capture it, but they may have to play around with either their cache or temp folders.

So this stops lazy theives, but not slightly more sophisticated ones....

I've been trying to 'hack' this method of securing JavaScript files myself over the last hour just to check it out and so far haven't found a way around it. I guess the only time someone could get access to the 'secure' script is during the time that the session() variable is set and the time that the end of the included() file is reached.

This time-window is very very tiny however and it would close again before someone would access the 'secure' script directly.

It may not be 100% secure but it is the most secure way of doing it that I have found so far... and believe me I've been trying to secure JS files for years!

Posted: Sat Aug 02, 2003 4:33 pm
by Gen-ik
m3rajk wrote:if they're looking through the temp/cache files, my guess is they do rograming and they are trying to do something that you've done and want to fix their code, or that they're script kiddies


in the case of the former i think it's more likely that they'll e-mail you than look through the cache...and if you're here, i bet you'd help them fix their code :-P

This is true, but helping someone out with a small bit of JavaScript and allowing some random person to get their hands on some hardcore JS code and functions that I have created myself are two different things.

If the code I have written is your average stuff found on most websites then I not bothered about people accessing it.. if I have spent hours (even days) writting custom code and dedicated functions for my websites though then I prefer people not to get their grubby mits on it :)

Posted: Sat Aug 02, 2003 6:32 pm
by m3rajk
understood and agreed.

it's also quite a different thing to help someone FIX their code than it to write it for them. the former being a way of teaching, especially if you explain what's wrong instead of actually giving the code. (forcing them to display and understanding of the explanation to get it working)

but when they just take code....
or worse, expect you'll just write it when they ask for something (exception: they're paying you)....

Posted: Sat Aug 02, 2003 6:56 pm
by patrikG
Nice idea, Gen-Ik. Another way to simply break your protection of javascript include-files would be to rip the entire page, IE "Save Entire Page" or Mozillas "Save Entire Page" or Leech.
But as you say, it's a nice protection from casual cut'n pasters.

Personally, while I am not Richard Stallman, I do think code should be free. I have certainly learnt a great deal by looking at other people's code, freely available on the web.

Posted: Sat Aug 02, 2003 7:06 pm
by Gen-ik
patrikG wrote:Nice idea, Gen-Ik. Another way to simply break your protection javascript include-file would be to rip the entire page, IE "Save Entire Page" or Mozillas "Save Entire Page" or Leech.

Nope, doing that won't get you any closer to the 'secure' JavaScript either. If you try this you will find that the script file is saved as a .htm page but it doesn't contain any JavaScript.

Posted: Sat Aug 02, 2003 7:12 pm
by patrikG
I would find that very odd - usually all client-side includes are saved or leeched as well. Do you have something up I can test this on?

Posted: Sat Aug 02, 2003 7:32 pm
by Gen-ik
Yep I've just set it up on-line if you want to check it out.

Point your browser to http://www.urbanchaos.net/test/

Posted: Sat Aug 02, 2003 7:42 pm
by patrikG
Firebird shows a javascript error, IE saves everything, including the javascript-file my_script.php

containing:

Code: Select all

alert("This alert comes to you from the secured JavaScript file.");
So, yes, your script offers some protection (as said above), but anyone who is a little bit determined can fetch it without problem.

Posted: Sat Aug 02, 2003 7:48 pm
by Gen-ik
That's odd because it's not downloading the JavaScript when I try it.. which version of IE are you using and which platform (PC/MAC) ?

Posted: Sat Aug 02, 2003 7:55 pm
by patrikG
IE 5 on Windows 98. Mozilla saved the "secured" version, only containing the text "you are not allowed...".
I guess it's a difference in how the different browsers access it. I believe that IE saves from its temp-folder, while Mozilla requests the page either new or tries to download each part seperately.

Have you tried

Code: Select all

header("Cache-control: private");
That may help.