What? I didn't either. I returned to the site. No problem. So I turned on scripting temporarily for the site. Bang! "You must be logged in to access this page."
So I took a quick look at the source code for the page.
First come several hundred lines of displayed information.
Then this little program, written in javascript:
OK, I disguised the site name so as not to embarrass the site owner or his (presumably highly paid) IT contractor.<script language="JavaScript"> if(!(getCookie("siteCookiexxxx"))){ location.replace("http://www.mydumbcontractordidthis.com/login_new.html"); }
But, there it is. If you don't have a login cookie on your computer, the already-loaded page gets replaced by the login page. Er, as long as you have JavaScript enabled on your browser. Otherwise, feel free to cruise to whatever page you would like.
Anyone who has seen a weaker security scheme, please comment!
No comments:
Post a Comment