Last active
March 27, 2020 11:40
-
-
Save pirate/7200be683a759855783e977f54411e31 to your computer and use it in GitHub Desktop.
An example of password locking an html page by checking a hash password and setting a secret cookie.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<center> | |
Enter the password to view the secret page. | |
<br><br><br> | |
<input id="pass" type="password" > | |
<br><br> | |
<button id="submit">Submit</button> | |
<br> | |
<div id="errors" style="color: red"></div> | |
</center> | |
<script> | |
const SECRET_COOKIE_NAME = 'super_secret_page' | |
const PASSWORD_SALT = 'somesalthere' | |
const PASSWORD_HASH = '7400a76781afc0919968e66702120c930c71227a2507d9b7bc0f12ca47f514c6' // hash of 'pAsSw4rd' + 'somesalthere' | |
const SECRET_PAGE_URL = '/secret_page' // final URL is /secret_page_pAsSw4rd.html | |
async function sha256(message) { | |
const msgUint8 = new TextEncoder().encode(message) // encode as (utf-8) Uint8Array | |
const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8) // hash the message | |
const hashArray = Array.from(new Uint8Array(hashBuffer)) // convert buffer to byte array | |
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('') // convert bytes to hex string | |
return hashHex | |
} | |
function setCookie(name, value, days) { | |
let expires = "" | |
if (days) { | |
const date = new Date() | |
date.setTime(date.getTime() + (days*24*60*60*1000)) | |
expires = "; expires=" + date.toUTCString() | |
} | |
document.cookie = name + "=" + (value || "") + expires + "; path=/" | |
} | |
function getCookie(name) { | |
const nameEQ = name + "=" | |
const ca = document.cookie.split(';') | |
for (let i = 0; i < ca.length; i++) { | |
let c = ca[i] | |
while (c.charAt(0)==' ') { | |
c = c.substring(1,c.length) | |
} | |
if (c.indexOf(nameEQ) == 0) { | |
return c.substring(nameEQ.length,c.length) | |
} | |
} | |
return null | |
} | |
async function checkPassword(password) { | |
const hashed_user_input = await sha256(password + PASSWORD_SALT) | |
if (hashed_user_input == PASSWORD_HASH) { | |
document.getElementById('errors').innerHTML = 'Correct, redirecting to secret page...' | |
document.getElementById('errors').style.color = 'green' | |
setCookie(SECRET_COOKIE_NAME, password, 365) | |
document.location = `${SECRET_PAGE_URL}_${password}.html` | |
return true | |
} else { | |
return false | |
} | |
} | |
document.getElementById('submit').addEventListener('click', async function(e) { | |
document.getElementById('errors').innerHTML = '' | |
const was_correct = await checkPassword(document.getElementById('pass').value) | |
if (!was_correct) { | |
document.getElementById('errors').innerHTML = 'Incorrect password, try again.' | |
} | |
}) | |
;(async function() { | |
await checkPassword(getCookie(SECRET_COOKIE_NAME)) | |
}()) | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<meta name="robots" content="noindex"> | |
<i>Super secret page content here...</i> | |
<script> | |
const SECRET_COOKIE_NAME = 'super_secret_page' | |
function setCookie(name, value, days) { | |
let expires = "" | |
if (days) { | |
const date = new Date() | |
date.setTime(date.getTime() + (days*24*60*60*1000)) | |
expires = "; expires=" + date.toUTCString() | |
} | |
document.cookie = name + "=" + (value || "") + expires + "; path=/" | |
} | |
setCookie(SECRET_COOKIE_NAME, 'pAsSw4rd', 365) | |
</script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To help avoid the secret page showing up in search engine results, you should add this to the secret page: