Skip to content

Instantly share code, notes, and snippets.

@pirate
Last active March 27, 2020 11:40
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pirate/7200be683a759855783e977f54411e31 to your computer and use it in GitHub Desktop.
Save pirate/7200be683a759855783e977f54411e31 to your computer and use it in GitHub Desktop.
An example of password locking an html page by checking a hash password and setting a secret cookie.
<center>
Enter the password to view the secret page.
<br><br><br>
<input id="pass" type="password" >
<br><br>
<button id="submit">Submit</button>
<br>
<div id="errors" style="color: red"></div>
</center>
<script>
const SECRET_COOKIE_NAME = 'super_secret_page'
const PASSWORD_SALT = 'somesalthere'
const PASSWORD_HASH = '7400a76781afc0919968e66702120c930c71227a2507d9b7bc0f12ca47f514c6' // hash of 'pAsSw4rd' + 'somesalthere'
const SECRET_PAGE_URL = '/secret_page' // final URL is /secret_page_pAsSw4rd.html
async function sha256(message) {
const msgUint8 = new TextEncoder().encode(message) // encode as (utf-8) Uint8Array
const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8) // hash the message
const hashArray = Array.from(new Uint8Array(hashBuffer)) // convert buffer to byte array
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('') // convert bytes to hex string
return hashHex
}
function setCookie(name, value, days) {
let expires = ""
if (days) {
const date = new Date()
date.setTime(date.getTime() + (days*24*60*60*1000))
expires = "; expires=" + date.toUTCString()
}
document.cookie = name + "=" + (value || "") + expires + "; path=/"
}
function getCookie(name) {
const nameEQ = name + "="
const ca = document.cookie.split(';')
for (let i = 0; i < ca.length; i++) {
let c = ca[i]
while (c.charAt(0)==' ') {
c = c.substring(1,c.length)
}
if (c.indexOf(nameEQ) == 0) {
return c.substring(nameEQ.length,c.length)
}
}
return null
}
async function checkPassword(password) {
const hashed_user_input = await sha256(password + PASSWORD_SALT)
if (hashed_user_input == PASSWORD_HASH) {
document.getElementById('errors').innerHTML = 'Correct, redirecting to secret page...'
document.getElementById('errors').style.color = 'green'
setCookie(SECRET_COOKIE_NAME, password, 365)
document.location = `${SECRET_PAGE_URL}_${password}.html`
return true
} else {
return false
}
}
document.getElementById('submit').addEventListener('click', async function(e) {
document.getElementById('errors').innerHTML = ''
const was_correct = await checkPassword(document.getElementById('pass').value)
 if (!was_correct) {
document.getElementById('errors').innerHTML = 'Incorrect password, try again.'
}
})
;(async function() {
await checkPassword(getCookie(SECRET_COOKIE_NAME))
}())
</script>
<meta name="robots" content="noindex">
<i>Super secret page content here...</i>
<script>
const SECRET_COOKIE_NAME = 'super_secret_page'
function setCookie(name, value, days) {
let expires = ""
if (days) {
const date = new Date()
date.setTime(date.getTime() + (days*24*60*60*1000))
expires = "; expires=" + date.toUTCString()
}
document.cookie = name + "=" + (value || "") + expires + "; path=/"
}
setCookie(SECRET_COOKIE_NAME, 'pAsSw4rd', 365)
</script>
@ta-dow
Copy link

ta-dow commented Mar 27, 2020

To help avoid the secret page showing up in search engine results, you should add this to the secret page:

<meta name="robots" content="noindex">

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment