search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Reorganizing login sessions, cookie support for CGIservlet
[CGIscriptor.git] / Private / ChangePassword.html
bloba952c07cef7b1be1613a93c62a763d75fb41a9b6
1 <html>
2 <head>
3 <title>Change Password</title>
4 <SCRIPT TYPE="text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'>
5 ::create_login_file("~/Private/.Passwords", "~/Private/.Sessions", $REMOTE_ADDR);
6 "";
7 </SCRIPT>
8 <SCRIPT type="text/javascript" LANGUAGE="JavaScript">
9 function createCookie(name,value,days,path) {
10 if (days) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*24*60*60*1000));
13 var expires = "; expires="+date.toGMTString();
14 }
15 else var expires = "";
16 var match = document.cookie.match('/('+name+'\=[^\;]*\);/');
17 if(match)
18 document.cookie = document.cookie.replace(match[1], name+"="+value);
19 else
20 document.cookie = name+"="+value+expires+"; path=/"+path;
21 };
22
23 function readCookie(name) {
24 var nameEQ = name + "=";
25 var ca = document.cookie.split(';');
26 for(var i=0;i < ca.length;i++) {
27 var c = ca[i];
28 while (c.charAt(0)==' ') c = c.substring(1,c.length);
29 if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
30 }
31 return null;
32 };
33
34 function check_password_fields ( ) {
35 var newpassword = document.getElementById('NEWPASSWORD');
36 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
37 if(newpassword.value == "" || newpasswordrep.value == "") {
38 alert("No passwords");
39 return false;
40 };
41 if(newpassword.value == newpasswordrep.value) {
42 var submitbutton = document.getElementById('SUBMIT');
43 submitbutton.style.color = "Black";
44 return true;
45 };
46 alert("Passwords differ");
47 return false;
48 };
49
50 function eraseCookie(name) {
51 createCookie(name,"",-1);
52 };
53
54 // Combine the PASSWORD with the site SERVERSALT and hash it
55 // Combine this Hash iwth the extra SERVERSALT, and hash them
56 function HashPassword(extsalt) {
57 var hash1 = "";
58 var hash2 = "";
59 var passwordvalue = document.getElementById('PASSWORD');
60 if(passwordvalue.value == "")
61 return 0;
62 var saltvalue = document.getElementById('SERVERSALT');
63 hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
64 if(extsalt != "")
65 hash2 = hex_sha1(extsalt+hash1);
66 else
67 hash2 = hash1;
68 passwordvalue.value = hash2;
69 return hash2;
70 }
71 // Remember to hash the repeat too! Or else it will be send in the clear
72 function HashNewPassword() {
73 var hash1 = "";
74 var newpassword = document.getElementById('NEWPASSWORD');
75 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
76 if(newpassword.value == "" ) {
77 newpassword.value = "";
78 return 0;
79 };
80 if(newpasswordrep && (newpasswordrep.value == ""|| newpassword.value != newpasswordrep.value)) {
81 newpassword.value = "";
82 newpasswordrep.value = "";
83 return 0;
84 };
85 var saltvalue = document.getElementById('SERVERSALT');
86 hash1 = hex_sha1(saltvalue.value+newpassword.value);
87 newpassword.value = hash1;
88 newpasswordrep.value = hash1;
89 return hash1;
90 };
91
92 function XOR_hex_strings(hex1, hex2) {
93 var resultHex = "";
94 for(var i=0; i < hex1.length; ++i) {
95 var d1 = parseInt(hex1.charAt(i),16);
96 var d2 = parseInt(hex2.charAt(i),16);
97 var resultD = d1^d2;
98 resultHex = resultHex+resultD.toString(16);
99 };
100 return resultHex;
101 };
102
103 function EncryptNewPassword() {
104 var password = document.getElementById('PASSWORD');
105 var saltvalue = document.getElementById('SERVERSALT');
106 var login = document.getElementById('LOGINTICKET');
107 var newpassword = document.getElementById('NEWPASSWORD');
108 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
109
110 HashNewPassword();
111 hash = hex_sha1(saltvalue.value+password.value);
112 hash2 = hex_sha1(login.value+hash);
113 var encrypted = XOR_hex_strings(hash2, newpassword.value);
114 newpassword.value = encrypted;
115 newpasswordrep.value = encrypted;
116 return encrypted;
117 };
118
119 function add_cgiparam(elem, attr, param) {
120 var elems = document.getElementsByTagName(elem);
121 for (var i = 0; i < elems.length; i++)
122 {
123 var n=elems[i][attr].indexOf("?");
124 if(n<0)
125 elems[i][attr] = elems[i][attr] + "?" + param;
126 else
127 elems[i][attr] = elems[i][attr] + "&" + param;
128 };
129 };
130
131 function remove_cgiparam(elem, attr, parameter) {
132 var elems = document.getElementsByTagName(elem);
133 for (var i = 0; i < elems.length; i++)
134 {
135 var n=elems[i][attr].indexOf("&"+parameter);
136 if(n>0)
137 elems[i][attr] = elems[i][attr].replace("&"+param, "");
138 var n=elems[i][attr].indexOf(parameter);
139 if(n>0)
140 elems[i][attr] = elems[i][attr].replace(param, "");
141 };
142 };
143
144 function setSessionParameters() {
145 var sessionset = readCookie("CGIscriptorSESSION");
146 if(!sessionset.match(/[\S]/))return false;
147
148 var sessionticket = "";
149 sessionticket = localStorage.getItem("CGIscriptorPRIVATE");
150 createCookie("CGIscriptorSESSION",sessionticket, 1, "/Private");
151 var sessionparm = document.getElementById('SESSIONTICKET');
152 if(sessionparm) sessionparm.value = sessionticket;
153
154 // Without cookies, use this
155 // add_cgiparam('a', 'href', "SESSIONTICKET="+sessionticket);
156 // add_cgiparam('form', 'action', "SESSIONTICKET="+sessionticket);
157 return true;
158 };
159 function setChallengeParameters() {
160 var sessionset = readCookie("CGIscriptorCHALLENGE");
161 if(!(sessionset && sessionset.match(/[\S]/)))return false;
162
163 var sessionticket = "";
164 sessionticket = localStorage.getItem("CGIscriptorPRIVATE");
165 createCookie("CGIscriptorCHALLENGE",sessionticket, 1, "Private");
166 var sessionparm = document.getElementById('CHALLENGETICKET');
167 if(sessionparm) sessionparm.value = sessionticket;
168
169 // Without cookies, use this
170 // add_cgiparam('a', 'href', "CHALLENGETICKET="+sessionticket);
171 // add_cgiparam('form', 'action', "CHALLENGETICKET="+sessionticket);
172 return true;
173 };
174
175 window.onload = function() {
176 var challengeSet = setChallengeParameters();
177 if(! challengeSet)
178 setSessionParameters();
179 return true;
180 };
181
182
183 </SCRIPT>
184
185 <script type="text/javascript">
186 /*
187 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
188 * in FIPS 180-1
189 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
190 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
191 * Distributed under the BSD License
192 * See http://pajhome.org.uk/crypt/md5 for details.
193 */
194
195 /*
196 * Configurable variables. You may need to tweak these to be compatible with
197 * the server-side, but the defaults work in most cases.
198 */
199 var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
200 var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */
201
202 /*
203 * These are the functions you'll usually want to call
204 * They take string arguments and return either hex or base-64 encoded strings
205 */
206 function hex_sha1(s) { return rstr2hex(rstr_sha1(str2rstr_utf8(s))); }
207 function b64_sha1(s) { return rstr2b64(rstr_sha1(str2rstr_utf8(s))); }
208 function any_sha1(s, e) { return rstr2any(rstr_sha1(str2rstr_utf8(s)), e); }
209 function hex_hmac_sha1(k, d)
210 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
211 function b64_hmac_sha1(k, d)
212 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
213 function any_hmac_sha1(k, d, e)
214 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d)), e); }
215
216 /*
217 * Perform a simple self-test to see if the VM is working
218 */
219 function sha1_vm_test()
220 {
221 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
222 }
223
224 /*
225 * Calculate the SHA1 of a raw string
226 */
227 function rstr_sha1(s)
228 {
229 return binb2rstr(binb_sha1(rstr2binb(s), s.length * 8));
230 }
231
232 /*
233 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
234 */
235 function rstr_hmac_sha1(key, data)
236 {
237 var bkey = rstr2binb(key);
238 if(bkey.length > 16) bkey = binb_sha1(bkey, key.length * 8);
239
240 var ipad = Array(16), opad = Array(16);
241 for(var i = 0; i < 16; i++)
242 {
243 ipad[i] = bkey[i] ^ 0x36363636;
244 opad[i] = bkey[i] ^ 0x5C5C5C5C;
245 }
246
247 var hash = binb_sha1(ipad.concat(rstr2binb(data)), 512 + data.length * 8);
248 return binb2rstr(binb_sha1(opad.concat(hash), 512 + 160));
249 }
250
251 /*
252 * Convert a raw string to a hex string
253 */
254 function rstr2hex(input)
255 {
256 try { hexcase } catch(e) { hexcase=0; }
257 var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
258 var output = "";
259 var x;
260 for(var i = 0; i < input.length; i++)
261 {
262 x = input.charCodeAt(i);
263 output += hex_tab.charAt((x >>> 4) & 0x0F)
264 + hex_tab.charAt( x & 0x0F);
265 }
266 return output;
267 }
268
269 /*
270 * Convert a raw string to a base-64 string
271 */
272 function rstr2b64(input)
273 {
274 try { b64pad } catch(e) { b64pad=''; }
275 var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
276 var output = "";
277 var len = input.length;
278 for(var i = 0; i < len; i += 3)
279 {
280 var triplet = (input.charCodeAt(i) << 16)
281 | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0)
282 | (i + 2 < len ? input.charCodeAt(i+2) : 0);
283 for(var j = 0; j < 4; j++)
284 {
285 if(i * 8 + j * 6 > input.length * 8) output += b64pad;
286 else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F);
287 }
288 }
289 return output;
290 }
291
292 /*
293 * Convert a raw string to an arbitrary string encoding
294 */
295 function rstr2any(input, encoding)
296 {
297 var divisor = encoding.length;
298 var remainders = Array();
299 var i, q, x, quotient;
300
301 /* Convert to an array of 16-bit big-endian values, forming the dividend */
302 var dividend = Array(Math.ceil(input.length / 2));
303 for(i = 0; i < dividend.length; i++)
304 {
305 dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);
306 }
307
308 /*
309 * Repeatedly perform a long division. The binary array forms the dividend,
310 * the length of the encoding is the divisor. Once computed, the quotient
311 * forms the dividend for the next step. We stop when the dividend is zero.
312 * All remainders are stored for later use.
313 */
314 while(dividend.length > 0)
315 {
316 quotient = Array();
317 x = 0;
318 for(i = 0; i < dividend.length; i++)
319 {
320 x = (x << 16) + dividend[i];
321 q = Math.floor(x / divisor);
322 x -= q * divisor;
323 if(quotient.length > 0 || q > 0)
324 quotient[quotient.length] = q;
325 }
326 remainders[remainders.length] = x;
327 dividend = quotient;
328 }
329
330 /* Convert the remainders to the output string */
331 var output = "";
332 for(i = remainders.length - 1; i >= 0; i--)
333 output += encoding.charAt(remainders[i]);
334
335 /* Append leading zero equivalents */
336 var full_length = Math.ceil(input.length * 8 /
337 (Math.log(encoding.length) / Math.log(2)))
338 for(i = output.length; i < full_length; i++)
339 output = encoding[0] + output;
340
341 return output;
342 }
343
344 /*
345 * Encode a string as utf-8.
346 * For efficiency, this assumes the input is valid utf-16.
347 */
348 function str2rstr_utf8(input)
349 {
350 var output = "";
351 var i = -1;
352 var x, y;
353
354 while(++i < input.length)
355 {
356 /* Decode utf-16 surrogate pairs */
357 x = input.charCodeAt(i);
358 y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;
359 if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF)
360 {
361 x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);
362 i++;
363 }
364
365 /* Encode output as utf-8 */
366 if(x <= 0x7F)
367 output += String.fromCharCode(x);
368 else if(x <= 0x7FF)
369 output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F),
370 0x80 | ( x & 0x3F));
371 else if(x <= 0xFFFF)
372 output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),
373 0x80 | ((x >>> 6 ) & 0x3F),
374 0x80 | ( x & 0x3F));
375 else if(x <= 0x1FFFFF)
376 output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),
377 0x80 | ((x >>> 12) & 0x3F),
378 0x80 | ((x >>> 6 ) & 0x3F),
379 0x80 | ( x & 0x3F));
380 }
381 return output;
382 }
383
384 /*
385 * Encode a string as utf-16
386 */
387 function str2rstr_utf16le(input)
388 {
389 var output = "";
390 for(var i = 0; i < input.length; i++)
391 output += String.fromCharCode( input.charCodeAt(i) & 0xFF,
392 (input.charCodeAt(i) >>> 8) & 0xFF);
393 return output;
394 }
395
396 function str2rstr_utf16be(input)
397 {
398 var output = "";
399 for(var i = 0; i < input.length; i++)
400 output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,
401 input.charCodeAt(i) & 0xFF);
402 return output;
403 }
404
405 /*
406 * Convert a raw string to an array of big-endian words
407 * Characters >255 have their high-byte silently ignored.
408 */
409 function rstr2binb(input)
410 {
411 var output = Array(input.length >> 2);
412 for(var i = 0; i < output.length; i++)
413 output[i] = 0;
414 for(var i = 0; i < input.length * 8; i += 8)
415 output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (24 - i % 32);
416 return output;
417 }
418
419 /*
420 * Convert an array of big-endian words to a string
421 */
422 function binb2rstr(input)
423 {
424 var output = "";
425 for(var i = 0; i < input.length * 32; i += 8)
426 output += String.fromCharCode((input[i>>5] >>> (24 - i % 32)) & 0xFF);
427 return output;
428 }
429
430 /*
431 * Calculate the SHA-1 of an array of big-endian words, and a bit length
432 */
433 function binb_sha1(x, len)
434 {
435 /* append padding */
436 x[len >> 5] |= 0x80 << (24 - len % 32);
437 x[((len + 64 >> 9) << 4) + 15] = len;
438
439 var w = Array(80);
440 var a = 1732584193;
441 var b = -271733879;
442 var c = -1732584194;
443 var d = 271733878;
444 var e = -1009589776;
445
446 for(var i = 0; i < x.length; i += 16)
447 {
448 var olda = a;
449 var oldb = b;
450 var oldc = c;
451 var oldd = d;
452 var olde = e;
453
454 for(var j = 0; j < 80; j++)
455 {
456 if(j < 16) w[j] = x[i + j];
457 else w[j] = bit_rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
458 var t = safe_add(safe_add(bit_rol(a, 5), sha1_ft(j, b, c, d)),
459 safe_add(safe_add(e, w[j]), sha1_kt(j)));
460 e = d;
461 d = c;
462 c = bit_rol(b, 30);
463 b = a;
464 a = t;
465 }
466
467 a = safe_add(a, olda);
468 b = safe_add(b, oldb);
469 c = safe_add(c, oldc);
470 d = safe_add(d, oldd);
471 e = safe_add(e, olde);
472 }
473 return Array(a, b, c, d, e);
474
475 }
476
477 /*
478 * Perform the appropriate triplet combination function for the current
479 * iteration
480 */
481 function sha1_ft(t, b, c, d)
482 {
483 if(t < 20) return (b & c) | ((~b) & d);
484 if(t < 40) return b ^ c ^ d;
485 if(t < 60) return (b & c) | (b & d) | (c & d);
486 return b ^ c ^ d;
487 }
488
489 /*
490 * Determine the appropriate additive constant for the current iteration
491 */
492 function sha1_kt(t)
493 {
494 return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 :
495 (t < 60) ? -1894007588 : -899497514;
496 }
497
498 /*
499 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
500 * to work around bugs in some JS interpreters.
501 */
502 function safe_add(x, y)
503 {
504 var lsw = (x & 0xFFFF) + (y & 0xFFFF);
505 var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
506 return (msw << 16) | (lsw & 0xFFFF);
507 }
508
509 /*
510 * Bitwise rotate a 32-bit number to the left.
511 */
512 function bit_rol(num, cnt)
513 {
514 return (num << cnt) | (num >>> (32 - cnt));
515 }
516 </script>
517
518 </head>
519 <body>
520 <p ALIGN=RIGHT><a href="index.html?LOGOUT">Logout</a></p>
521 <p ALIGN=RIGHT><a href="index.html">Home page</a></p>
522 <h1 align=CENTER>Change your password</h1>
523 <p>
524 </p>
525 <p>
526 </p>
527
528 <form method="POST" action="index.html" id="LoginForm"
529 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword("<SCRIPT TYPE="text/ssperl">
530 $RANDOMSALT</SCRIPT>");true'>
531 <div style="margin-left: 30%; margin-right: 30%; text-align: left">
532 <table>
533 <tr>
534 <td style="text-align: right">Old Password:</td>
535 <td style="text-align: left"><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="20" /></td>
536 </tr>
537 <tr>
538 <td style="text-align: right">New Password:</td>
539 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORD" id="NEWPASSWORD" size="20" />
540 </td>
541 </tr>
542 <tr>
543 <td style="text-align: right">Repeat:</td>
544 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORDREP" id="NEWPASSWORDREP" size="20" onChange="check_password_fields();"/></td>
545 </tr>
546 <tr>
547 <td></td>
548 <td style="text-align: left"><input type="submit" id="SUBMIT" value="Change" style="color: Gray" /></td>
549 </tr>
550 </table>
551 <input type="hidden" name="USERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
552 <input type="hidden" name="SERVERSALT" id="SERVERSALT" value="<SCRIPT TYPE="text/ssperl">$SERVERSALT</SCRIPT>" />
553 <input type="hidden" name="RANDOMSALT" id="RANDOMSALT" value="<SCRIPT TYPE="text/ssperl">$RANDOMSALT</SCRIPT>" />
554 <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>" />
555 <input type="hidden" name="SESSIONTICKET" id="SESSIONTICKET"value="" />
556 <input type="hidden" name="CHALLENGETICKET" id="CHALLENGETICKET" value="" />
557 </div>
558 </form>
559 <p>
560 The Salt and Ticket values are all created using SHA1 on 512 Byte of output from <em>/dev/urandom</em> in HEX.
561 </p>
562 <FONT STYLE="font-size:small">
563 <p> Example Login page for CGIscriptor.pl<br />
564 Copyright &copy; 2012 R.J.J.H. van Son<br />
565 This program is free software: you can redistribute it and/or modify
566 it under the terms of the GNU General Public License as published by
567 the Free Software Foundation, either version 3 of the License, or
568 (at your option) any later version.
569 This program is distributed in the hope that it will be useful,
570 but WITHOUT ANY WARRANTY; without even the implied warranty of
571 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
572 GNU General Public License for more details.<br />
573 You should have received a copy of the GNU General Public License
574 along with this program. If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.</p>
575 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1<br />
576 Copyright &copy; 2000 - 2009 Paul Johnston, Version 2.2<br />
577 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet<br />
578 Distributed under the BSD License<br />
579 See <a href="http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5</a> for details.
580 </FONT>
581
582 </body>
583 </html>
A flexible HTML 4 compliant script/module for CGI-aware embeded Perl, shell-scripts, and other scripting languages, executed at the server side.