I’ve made a simple web application where a lot of things is done without refreshing a window. Now I faced a problem which I haven’t realized before. If I won’t find a solution, I’ll have to redesign the whole app which will take a lot of time and probably kill some coolness of using it. Ouch. Ok, back to the problem.
To reveal – let’s say – the “secret” part of the site, the user has to input a kind of… password and click “Confirm”. But I don’t have an idea how to store the password to prevent the user from reading it, for example in the source of the site.
At present, I use mysql database – I connect with it, read the password in PHP and store it in global javascript variable. But it’s of course readable after entering the source.
Is it possible to do such a thing? Is it possible to secretly check the password without having to refresh the site and checking it with PHP?
I commend you for asking before implementing. Too few people seem to do that these days.
First off, believe it or not, you don’t want to actually store the password anywhere. You want to use something called a salted hash instead. Using this technique, you end up with a random-ish looking code which is based on the password, and can be used to verify that the user has the password they say they have.
Second, you’re going to want to use an Ajax request to perform this check for you in Javascript. I prefer using the JQuery library for this, because it provides a really nice, cross-platform, tested, easy to use wrapper over Javascript which makes stuff like this easily.