Memoirs from the old web: The GateKeeper access control system

It would have been around 2001. The term “AJAX” would not be invented until 2005. Lots of people had their own Geocities page, the typical instance of which was horrific yet in retrospect somehow wonderful. Dynamic web applications were server driven, with any use of JavaScript being only as a minor seasoning on the client side. Previously these applications had often been via Perl and CGI, but now PHP was rising in popularity. Plenty of Perl and PHP-based web forums abounded, forming the centres of little communities run by enterprising individuals. The phrase “dynamic HTML” (DHTML) was used to describe doing interesting and dynamic things by using JavaScript to manipulate HTML live, like making animated menus — a term which has now been long forgotten. Websites such as (2004 archive copy) provided an archive of such scripts uploaded by various people.

At the same time, plenty of people didn't have access to a PHP host and were stuck with static web hosting, which was often free. This kind of free host would usually automatically inject advertising into their user's web pages. From time to time, a user of such a web host would want to create a password protected area of their website. Since doing this securely ordinarily would require some kind of server validation of the password, occasionally you would see people hack it by checking the password in (possibly mildly obfuscated) client side JavaScript. Of course, this was completely insecure.

Interestingly, one person figured out a way to actually implement password authentication on a statically hosted website in a kind-of secure way. I found this quite interesting (it being my hobby at the time to browse through the various scripts people had uploaded to dynamicdrive.)

This script was called “GateKeeper”. It was a JavaScript addin for websites which was based on a brilliantly simple idea: it would prompt you for a password, and when you entered the password, it would simply construct an URL from that password and try to load it. So for example, if the password page was at, and you entered a password of foo, it would try to load using JavaScript.

This was before anyone had discovered XMLHTTPRequest (which, interestingly, was lying in web browsers for years before being discovered and significantly capitalised upon); instead, it used framesets (yes, not iframes, traditional framesets). When you input a password, it would load the trial URL into one frame of the frameset. If the password was correct, the URL would load correctly, and that page would contain some JavaScript which would use parent.opener.location.href to redirect you to the logged in area. If the password was incorrect, the URL loaded would just be a 404. Since there was no easy way to detect this (at least without configuring a custom 404 page, which most free static hosts probably wouldn't let you do), incorrect passwords were simply detected using a timeout, by default 10 seconds; if the “correct password” page hadn't been loaded after 10 seconds, it assumed you'd entered the wrong password and told you as much.

Of course this is not exactly great security - anyone who does successfully log in can simply copy the URL of the private area and share it with someone. Still, I found it an interesting technique at the time and at the very least it was an improvement over most contemporary amateurs' attempts to simply obfuscate a password stored in a client-side script. If nobody with the internal links shares any of them, and a secure password is chosen, and directory listings are inhibited, in principle it works.

In any case, I thought that this was an interesting anecdote about the weird and yes, sometimes crummy ways people hacked around the limitations of the available technologies in the time of the early web. As I recall there was an enhanced version of the GateKeeper script for sale with enhanced functionality also — the spirit of shareware still lived.

Though I wasn't optimistic about my ability to dig up this obscure script, it appears the original web page is archived here! Before that, the homepage for the script lived here. (I might add that the navigation at the bottom of the latter page is an interesting window into the sorts of things which counted as cool in that era of web development...)

Probably the most amazing thing about all of this though is that stunningly, one of the demo pages is still live, being hosted at Tripod (yes that's right, apparently Tripod is still up). Sadly it doesn't appear to work correctly in a modern browser, probably because the security around window.opener and frame parent objects has been tightened in the years since; though of course, it would be easy to implement the basic idea without relying on frames nowadays (not that I'm saying you should).

In any case, I hope you found this random memoir of what the early web was like fun. It was certainly a fun place to be.