I have a webserver running off of my computer.  With this, I have a
javascript file that handles the login information for my website. 
This javascript file has all the usernames and passwords for the site,
however, they are not encrypted.  If someone was to look at the source
code for the webpage, they will see where the javascript file is
located, and be able to download it and view.  Is there a way that I
can prevent a person from downloading the file using .htaccess, while
still allowing the web page to access it.  If not, is there a place
that I can place the javascript file where a person will not be able
to get to it.

Javascript has the same access as a user searching the web. You may
want to try and encrypt this area with .htaccess or just use the
standard method php.

If you server supports php here is a simple script to prevent access

<?
if(($username == "whatever1") && ($password == "whatever1)) || 
  (($username == "whatever2") && ($password == "whatever2)) ||
  (($username == "whatever3") && ($password == "whatever3)) ||
  (($username == "whatever4") && ($password == "whatever4)) ||
{
include("filetodownload.exe"); 
// use above include or include the html with the download link
// ie. include("download.html");
} else {
echo("Your username and or password did not march");
?>  

This file must end in php. Have more questions? let me know

I still don't think that that will solve my problem.  For example, the
code I have on the web page is :
<head>
<script src="scripts/login.js"></script> 
</head>
All the username and passwords that will be accepted are in the file
login.js  Now, if someone looks at the source code, they will see that
bit of code and be able to point thier browser to
http://myserver/scripts/login.js and download the file.  This is what
I want to try to prevent.
I don't really know php, but isn't it placed within the html document?
 That would mean that if I were to use this script, my problem would
still be there.  Please let me know if I am misunderstanding the
script.
Thanks

Hi,

There are several possible ways to "encrypt" your code.
1) Code Obfuscation: you can use some shared software such as Jammer
or JMyth to make your code unreadable.

2) You can use Microsoft Windows Script Engine Version 5.0 to protect your code.

3)Use the Javascript function escape() to encrypt your code.

hello sir

As my personal thinking.. you should start to using php and mysql [if
they are supported]   there are some freely available scripts .. which
you can use for personal use.

right click protect.. or popups are not solution for you...btw. which
local server you are using?

regards

I am using Apache

Your problem is that you're using client-side logic to police access
to your downloaded file. You are trusting the remote user to properly
use the javascript code to authenticate their access and not download
the file if they're not allowed to.

On the web, this is a big no-no. You NEVER EVER trust the remote user
to be friendly. You have to assume they're malicious and will do
anything they can to get where they shouldn't be.

As such, if you truly want to hide that file from those who are not
allowed to see it, you'll have to ditch this client-side
authentication and resort to server-side methods. Previous comments
suggested using PHP, which is one way of going about it. As you
mentioned using Apache as your server, you can also use the following
method:

1) Place your private file(s) into a sub-directory somewhere inside
your site's directory on the server. The name/location does not
matter, as long as it's some place that can be remotely viewed
2) Configure Apache to require a valid login on that directory.
Details are available at:
     http://httpd.apache.org/docs/1.3/mod/core.html#directory
and
     http://httpd.apache.org/docs/1.3/mod/core.html#require

In this method, you will have Apache doing the authentication of the
remote user's login credentials. Apache will refer to a .htpasswd file
(standard name) which will contain the username/password combinations
of all the valid logins. If you place this .htpasswd file somewhere
*outside* of your web-accessible directories, the remote user will not
be able to download the file and view all your logins.

NOTE: While they will not be able to view all the logins, nothing will
prevent them from repeatedly hammering your server and trying to guess
a valid login combo. Detecting and preventing this situation is beyond
the scope of this question, however.

NOTE #2: If you want to have multiple files available via this method,
and only make a certain subset of the files available to any
particular user, turn off directory browsing
(http://httpd.apache.org/docs/1.3/mod/core.html#options) on the
directory in which you're placing the files. This way they will not be
able to retrieve a list of all the files available.



More complicated solutions are available, ie: via CGI scripts, PHP,
Perl, etc... You could store the login information in a database, or
on another machine, etc... But I believe the method I present above
will be sufficient for your needs.

hope it helps
marc.