919

Logging into WorldClient without data embedded in the URL

Security Warning: Don’t do this. Storing username and password information in easily parsable text files on a server is a bad idea. Embedding those pieces of information into a web page is a worse idea.  There’s a reason why you want super-secure authentication mechanisms in place.  That being said we get enough requests for this, that's why I’m writing this up.  We have on the wishlist a few other mechanisms.

There are two related methods demonstrated below, their difference is in how they’re combined for markup compatibility.  The first uses JavaScript to submit the form and therefore allows you to embed the submission form anywhere in the page rather than trying to cram it into another form.  The second requires that you embed the link to login inside the form.  Your use-case may vary.

Method 1: JavaScript

<!DOCTYPE html>
<html>
    <head>
        <title>WorldClient Logon Method 1</title>
    </head>
    <body>
        <!--
            We'll put the form at the bottom of the page, but for now we'll add a
            link to WorldClient into a list of links, but the form could be placed
            anywhere
         -->
        <ul>
            <li><a href='javascript:document.forms['webmail'].submit();return false;'>Webmail Logon</a></li>
            <li><a href='Alt-N'>http://www.altn.com'>Alt-N Technologies</a></li>
        </ul>

        <!--
            This is just like the WorldClient logon form, only we've pre-populated
            the data.  You will need to change your action to point to the proper
            URL.  It would be best to be using SSL.
        -->
        <form method='post' name='webmail' action='http://localhost:3000/WorldClient.dll?View=Main'>
            <!-- replace the username field's value with that of the username you have from your highly unsecure database/file -->
                <input type='hidden' name='User' value='randy@company.mail' />
            <!-- replace the password field's value with that of the password you have from your highly unsecure database/file -->
                <input type='hidden' name='Password' value='1111Aa' />
            <!-- submit the form with the Logon command, it's the right thing to do -->
                <input type='hidden' name='Logon' value='Because it's the right thing to do' />
        </form>
    </body>
</html>

Method 2: Jammed Form

This method does NOT require javascript, but does require CSS

 <!DOCTYPE html>
<html>
    <head>
        <title>WorldClient Logon Method 2</title>
        <style>
            *{font-family: Helvetica, Arial, Sans-serif;}
            /* style the form to hide it from messing with layout */
            .webmail-logon, .webmail-logon input{display: inline;white-space: normal;}
            .webmail-logon .logon-as-link
            {
                border: 0px none;
                background:transparent;
                color: blue;
                text-decoration: underline;
                line-height: 1em;
                height: 1.25em;
                font-size: 1em;
                padding: 0px;
                margin: 0px;
            }
        </style>
    </head>
    <body>
        <!--
            We'll put the form INLINE, but for now we'll add a
            link to WorldClient into a list of links, but the form could be placed
            anywhere
         -->
        <ul>
     <li><a href='Alt-N'>http://www.altn.com'>Alt-N Technologies</a></li>
            <!--
                This is just like the WorldClient logon form, only we've pre-populated
                the data. You will need to change your action to point to the proper
                URL. It would be best to be using SSL. We've made it one line to help reduce layout issues in older browsers
                1) replace the username field's value with that of the username you have from your highly unsecure database/file
                2) replace the password field's value with that of the password you have from your highly unsecure database/file
                3) You can change the 'link' text by adjusting the value field of the submit element
            -->
            <li><form class='webmail-logon' method='post' name='webmail' action='http://localhost:3000/WorldClient.dll?View=Main'><input type='hidden'

name='User' value='randy@company.mail' /><input type='hidden' name='Password' value='1111Aa' /><input type='submit' class='logon-as-link' name='Logon'

value='Webmail' /></form></li>
        </ul>

       
    </body>
</html>

Additional Comments

Note: This setup is not supported by technical support and those who choose to run it must be aware of all security issues and ramifications of configuring this.