Corrected documentation

[CGIscriptor.git] / Private / Login.html

<html>
<head>
<title>Login</title>
<META CONTENT="text/ssperl; CGI='$LOGINTICKET $REMOTE_ADDR'">
<SCRIPT type="text/javascript" LANGUAGE="JavaScript">
<SCRIPT TYPE="text/ssperl" SRC="./JavaScript/LoginPage.js"></SCRIPT>
</script>

</head>
<body>
<p>
<table width='100%'><tr>
        <td style='text-align: left'><a href="/index.html">Home</a></td> 
        <td style='text-align: right'><a href="?LOGOUT">Logout</a></td>
</tr></table>
</p>
<p ALIGN=RIGHT><a href="index.html">Private Home page</a></p>
<h1 align=CENTER>Example of Login procedure</h1>
        <h2 align=CENTER><div id="WARNING" style="color: Red">You need to have JavaScript and cookies enabled to use the login system</div></h2>
<p>
        Simple and very unsafe example login page for CGIscriptor.pl. The password is first hashed with the
        username and site specific salt (as it is used to store the password on-site). Then it is hashed with a random,
        one-time salt. Effectively, creating a one-time password. Only the last value is send to the server.
        The server has both salt values stored. It will ignore anything except the username, hashed password, and
        loginticket.
</p>
<p>
        The Session Ticket information is stored in <a href="http://www.xul.fr/en/html5/sessionstorage.php">
        <em>sessionStorage</em></a> with key <em>CGIscriptorPRIVATE</em>. Older browsers might not implement 
        <a href="http://www.xul.fr/en/html5/sessionstorage.php"><em>sessionStorage</em></a>, or it might be
        turned off in the <a href="http://kb.mozillazine.org/Dom.storage.enabled"><em>dom.storage.enabled</em></a>
        parameter. There is a <a href="/PrivateTutorial.html">Tutorial of the authorization
    application</a>.
</p>

<!-- UNCOMMENT for use in a local version of the Private/Login.html web page. -->
<!-- Replace <form  > line with commented version -->
<!-- Replace http://localhost:8080/Private/index.html with the correct URL of the login page -->
<!-- <form method="POST" action="http://localhost:8080/Private/index.html" id="LoginForm" onSubmit='LoginSubmit();setSessionParameters();true'> -->
<form method="POST" action="" id="LoginForm" onSubmit='LoginSubmit();setSessionParameters();true'>
<div style="margin-left: 30%; margin-right: 30%; text-align: right">
  <table>
  <tr><td>Username:</td><td><input type="text" name="CGIUSERNAME" id="CGIUSERNAME" size="60" /></td></tr>
  <tr><td>Password:</td><td><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="60" /></td></tr>
  <tr><td></td><td style="text-align: left"><input type="submit" value="Login" />
                <input type="button" id="revealpassword" value="Show Passwords" onClick="this.value=togglePasswords('Hide', 'Show', this.value);true" /></td></tr>
 </table>
  <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="--" />
</div>
</form>
<center>You have only 10 minutes to log in. Reload the page if you waited longer</center>
<p>Check IP address <input type="checkbox" onChange='var spanID = document.getElementById("IPADDRESSTEST");if(this.checked){spanID.style.display = "inline"} else 
{spanID.style.display = "none";}; true;'/>
<span id=IPADDRESSTEST style="display: none;">Your IP address appears to be: <b><input type=text id=CLIENTIPADDRESS value="<SCRIPT TYPE="text/ssperl" CGI='$REMOTE_ADDR'>$REMOTE_ADDR</SCRIPT>" /></b>. 
Please <a href="http://www.vpngate.net/en/">check whether this is correct</a> (to avert Man-in-the-Middle attacks).</span></p>
<p>
        There are three default test accounts, all three have password <em>testing</em>:
        <ul>
        <li>test: A SESSION ticket account</li>
        <li>testip: An IPADDRESS ticket account</li>
        <li>testchallenge: A CHALLENGE ticket account</li>
        </ul>
</p>

<p>
The Salt and Ticket values are all created using SHA256 on 64 Byte of output from <em>/dev/urandom</em> in HEX.
</p>
<FONT STYLE="font-size:small">
<p>
The example Login page is vulnerable to a Man-in-the-Middle (MITM) attack.
There is no real protection against this attack without end-to-end encryption and 
authentication. See the <a href="Private/manual.html">Manual</a> (login required).
</p>
<p> Example Login page for CGIscriptor.pl<br />
    Copyright &copy; 2012-2014  R.J.J.H. van Son<br />
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.<br />
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.
</p>
<p> A JavaScript implementation of the SHA family of hashes, as defined in FIPS
        PUB 180-2 as well as the corresponding HMAC implementation as defined in
        FIPS PUB 198a<br />
        Version 1.3 Copyright Brian Turek 2008-2010
        Distributed under the BSD License<br />
        See <a href="http://jssha.sourceforge.net/">http://jssha.sourceforge.net/</a> for more information<br />
        Several functions taken from Paul Johnson
</p>
</FONT>

<!-- UNCOMMENT for use in a local version of the Private/Login.html web page. -->
<!-- Replace http://localhost:8080/Private/index.html with the correct URL of the login page -->
<!-- <iFrame id="loginFrame" src="http://localhost:8080/Private/index.html" hidden>Login frame</iFrame> -->
</body>
</html>