1

I run a website which includes several radio streams. I have set up icecast to request .htaccess account in order to authenticate and start streaming. There is the same account for all streams. I submit the form (it is hidden via css) with jquery once the page loads so the user does not have to know the account nor submit the form.

The problem is that form information are being revealed if user views source. Is there any way to hide these information? Searching the internet what most people say is that this is not possible because browser needs to be able to clearly read these information in order to function properly. Anyone know any way, if it is possible?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
ArgGeo
  • 95
  • 1
  • 9
  • it's not possible imo, and even if you magically found a way to disable the viewing of the source code which shows this info you would not be able to disable a viewer from sniffing the packet and determining what they are posting to you. – skrilled Mar 24 '14 at 18:18
  • You could simply encrypt and decrypt the values. – larsAnders Mar 24 '14 at 18:19
  • @larsAnders if the encrypted value is just passed back for authentication unchanged, then it might as well not be encrypted at all and you're left with the same problem. – Sammitch Mar 24 '14 at 18:21
  • @skrilled I know I cannot prevent users to view source. Most of my visitors are coffee shop owners with limited knowledge about webpages. I do not need security to prevent hackers but just be a little bit more safe. I pay a lot for streaming bandwith and dont want them get the source and stream without paying. – ArgGeo Mar 24 '14 at 18:22
  • Each user should have their own set of credentials for authentication, and then it doesn't matter if they view the source of the page. – Sammitch Mar 24 '14 at 18:23
  • You said "The problem is that form information are being revealed if user views source. " but also "I know I cannot prevent users to view source"..... which is it? – Digital Chris Mar 24 '14 at 18:23
  • You can obfuscate the Javascript code. And you can even [go crazy about it](http://stackoverflow.com/questions/22588223/how-does-this-magic-javascript-work). –  Mar 24 '14 at 18:29
  • @Sammitch Afaik if you close your browser htaccess credentials are being deleted. Since you are not a register member at this moment, no forms will be submitted resulting no credentials being stored. – ArgGeo Mar 24 '14 at 18:30

3 Answers3

1

I ended up creating the form (document.createElement) on page load with jquery, submitting it (.trigger("click")) and then removing it (.remove()). In addition I obfuscated the jquery code with the tool found here Crazy Obfuscation as @André suggested. That way user cannot see the htaccess username and password in Page Source nor find it using "inspect element" or firebug.

Community
  • 1
  • 1
ArgGeo
  • 95
  • 1
  • 9
0

Personally, I need a bit more information to clearly deduct a solution for your issue, I hope you can give me that.

However, have you tried simply .remove()ing the form after submission? That way it gets submitted on page load and then gets removed so by the time the page loads and the user clicks view source, he will not be able to see it. He can, of course, disable JS for example, or any other workaround, but this is a very quick fix with the amount of information we have.

ndee
  • 59
  • 2
  • Thanks a lot for your answer. This is a quick and easy solution. My customers are not web experts so this javascript disabling thing is not a big issue. Streaming from my webpage is temporary since I am going to hire a programmer make a cross os application and nobody will be able to view source and passwords. – ArgGeo Mar 24 '14 at 18:27
  • using jQuery to remove the form will _not_ remove it from the viewable source, just from the DOM. – GriffeyDog Mar 24 '14 at 18:51
-1

You can not directly hide values in 'view source'. Similarly when the form is being submitted, using tools like 'fiddler' the user could view the values. If you want to really hide them what you can do is never have those values show in the form. You could try techniques like encrypting those values on server or something if it never needs to be displayed to the user in the web page.

Kalyan
  • 488
  • 6
  • 17