6 <script type=
"text/javascript">
7 function createCookie(name
,value
,days
,path
) {
10 date
.setTime(date
.getTime()+(days
*24*60*60*1000));
11 var expires
= "; expires="+date
.toGMTString();
13 else var expires
= "";
14 var match
= document
.cookie
.match('/('+name
+'\=[^\;]*\);/');
16 document
.cookie
= document
.cookie
.replace(match
[1], name
+"="+value
);
18 document
.cookie
= name
+"="+value
+expires
+"; path=/"+path
;
22 function readCookie(name
) {
23 var nameEQ
= name
+ "=";
24 var ca
= document
.cookie
.split(';');
25 for(var i
=0;i
< ca
.length
;i
++) {
27 while (c
.charAt(0)==' ') c
= c
.substring(1,c
.length
);
28 if (c
.indexOf(nameEQ
) == 0) return c
.substring(nameEQ
.length
,c
.length
);
33 function eraseCookie(name
) {
34 createCookie(name
,"",-1);
37 // Combine the PASSWORD with the site SERVERSALT and hash it
38 // Combine this Hash iwth the extra SERVERSALT, and hash them
39 function HashPassword(extsalt
) {
40 var hash
= HashSessionSeed(extsalt
);
41 var password
= document
.getElementById('PASSWORD');
43 password
.value
= hash
;
45 alert("NO PASSWORD IN FORM");
51 // REMEMBER: Set the session cookie BEFORE you hash the password!!!
52 function SetSessionCookie() {
53 var seed
= '<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>';
54 var hash
= HashSessionSeed(seed
);
55 // Dom.storage.enabled must be set!
56 if (!sessionStorage
|| typeof(sessionStorage
) == 'undefined' ) {
57 alert('Your browser does not support HTML5 sessionStorage. Set Dom.storage.enabled or try upgrading.');
59 else sessionStorage
.setItem("CGIscriptorPRIVATE", hash
);
63 function HashSessionSeed(sessionseed
) {
66 var passwordvalue
= document
.getElementById('PASSWORD');
67 var saltvalue
= document
.getElementById('SERVERSALT');
68 var username
= document
.getElementById('USERNAME');
69 hash1
= hex_sha1(saltvalue
.value
+passwordvalue
.value
+username
.value
);
71 hash2
= hex_sha1(sessionseed
+hash1
);
77 // Remember to hash the repeat too! Or else it will be send in the clear
78 function HashNewPassword() {
80 var newpassword
= document
.getElementById('NEWPASSWORD');
81 var newpasswordrep
= document
.getElementById('NEWPASSWORDREP');
82 var username
= document
.getElementById('USERNAME');
83 if(newpassword
.value
== "" ) {
84 newpassword
.value
= "";
87 if(newpasswordrep
&& (newpasswordrep
.value
== ""|| newpassword
.value
!= newpasswordrep
.value
)) {
88 newpassword
.value
= "";
89 newpasswordrep
.value
= "";
92 var saltvalue
= document
.getElementById('SERVERSALT');
93 hash1
= hex_sha1(saltvalue
.value
+newpassword
.value
+username
.value
);
94 newpassword
.value
= hash1
;
95 newpasswordrep
.value
= hash1
;
99 function XOR_hex_strings(hex1
, hex2
) {
101 for(var i
=0; i
< hex1
.length
; ++i
) {
102 var d1
= parseInt(hex1
.charAt(i
),16);
103 var d2
= parseInt(hex2
.charAt(i
),16);
105 resultHex
= resultHex
+resultD
.toString(16);
110 function EncryptNewPassword() {
111 var password
= document
.getElementById('PASSWORD');
112 var saltvalue
= document
.getElementById('SERVERSALT');
113 var login
= document
.getElementById('LOGINTICKET');
114 var newpassword
= document
.getElementById('NEWPASSWORD');
115 var newpasswordrep
= document
.getElementById('NEWPASSWORDREP');
116 var username
= document
.getElementById('USERNAME');
118 // This hashes the newpassword field!
120 hash
= hex_sha1(saltvalue
.value
+password
.value
+username
.value
);
121 hash2
= hex_sha1(login
.value
+hash
);
122 var encrypted
= XOR_hex_strings(hash2
, newpassword
.value
);
123 newpassword
.value
= encrypted
;
124 newpasswordrep
.value
= encrypted
;
128 function add_cgiparam(elem
, attr
, param
) {
129 var elems
= document
.getElementsByTagName(elem
);
130 for (var i
= 0; i
< elems
.length
; i
++)
132 var n
=elems
[i
][attr
].indexOf("?");
134 elems
[i
][attr
] = elems
[i
][attr
] + "?" + param
;
136 elems
[i
][attr
] = elems
[i
][attr
] + "&" + param
;
140 function setSessionParameters() {
141 var sessionset
= readCookie("CGIscriptorSESSION");
142 if(!sessionset
.match(/[\S]/))return false;
144 var sessionticket
= "";
145 sessionticket
= sessionStorage
.getItem("CGIscriptorPRIVATE");
146 createCookie("CGIscriptorSESSION",sessionticket
, 1, "Private");
148 // Without cookies, use this
149 // var sessionparm = document.getElementById('SESSIONTICKET');
150 // if(sessionparm) sessionparm.value = sessionticket;
151 // add_cgiparam('a', 'href', "SESSIONTICKET="+sessionticket);
152 // add_cgiparam('form', 'action', "SESSIONTICKET="+sessionticket);
155 function setChallengeParameters() {
156 var sessionset
= readCookie("CGIscriptorCHALLENGE");
157 if(!(sessionset
&& sessionset
.match(/[\S]/)))return false;
159 var sessionticket
= "";
160 var sessionkey
= sessionStorage
.getItem("CGIscriptorPRIVATE");
161 sessionticket
= hex_sha1(sessionset
+sessionkey
);
162 createCookie("CGIscriptorCHALLENGE",sessionticket
, 1, "Private");
164 // Without cookies, use this
165 // var sessionparm = document.getElementById('CHALLENGETICKET');
166 // if(sessionparm) sessionparm.value = sessionticket;
168 // add_cgiparam('a', 'href', "CHALLENGETICKET="+sessionticket);
169 // add_cgiparam('form', 'action', "CHALLENGETICKET="+sessionticket);
173 window
.onload = function() {
174 var challengeSet
= setChallengeParameters();
176 setSessionParameters();
182 <script type=
"text/javascript">
184 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
186 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
187 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
188 * Distributed under the BSD License
189 * See http://pajhome.org.uk/crypt/md5 for details.
193 * Configurable variables. You may need to tweak these to be compatible with
194 * the server-side, but the defaults work in most cases.
196 var hexcase
= 0; /* hex output format. 0 - lowercase; 1 - uppercase */
197 var b64pad
= ""; /* base-64 pad character. "=" for strict RFC compliance */
200 * These are the functions you'll usually want to call
201 * They take string arguments and return either hex or base-64 encoded strings
203 function hex_sha1(s
) { return rstr2hex(rstr_sha1(str2rstr_utf8(s
))); }
204 function b64_sha1(s
) { return rstr2b64(rstr_sha1(str2rstr_utf8(s
))); }
205 function any_sha1(s
, e
) { return rstr2any(rstr_sha1(str2rstr_utf8(s
)), e
); }
206 function hex_hmac_sha1(k
, d
)
207 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
208 function b64_hmac_sha1(k
, d
)
209 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
210 function any_hmac_sha1(k
, d
, e
)
211 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
)), e
); }
214 * Perform a simple self-test to see if the VM is working
216 function sha1_vm_test()
218 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
222 * Calculate the SHA1 of a raw string
224 function rstr_sha1(s
)
226 return binb2rstr(binb_sha1(rstr2binb(s
), s
.length
* 8));
230 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
232 function rstr_hmac_sha1(key
, data
)
234 var bkey
= rstr2binb(key
);
235 if(bkey
.length
> 16) bkey
= binb_sha1(bkey
, key
.length
* 8);
237 var ipad
= Array(16), opad
= Array(16);
238 for(var i
= 0; i
< 16; i
++)
240 ipad
[i
] = bkey
[i
] ^ 0x36363636;
241 opad
[i
] = bkey
[i
] ^ 0x5C5C5C5C;
244 var hash
= binb_sha1(ipad
.concat(rstr2binb(data
)), 512 + data
.length
* 8);
245 return binb2rstr(binb_sha1(opad
.concat(hash
), 512 + 160));
249 * Convert a raw string to a hex string
251 function rstr2hex(input
)
253 try { hexcase
} catch(e
) { hexcase
=0; }
254 var hex_tab
= hexcase
? "0123456789ABCDEF" : "0123456789abcdef";
257 for(var i
= 0; i
< input
.length
; i
++)
259 x
= input
.charCodeAt(i
);
260 output
+= hex_tab
.charAt((x
>>> 4) & 0x0F)
261 + hex_tab
.charAt( x
& 0x0F);
267 * Convert a raw string to a base-64 string
269 function rstr2b64(input
)
271 try { b64pad
} catch(e
) { b64pad
=''; }
272 var tab
= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
274 var len
= input
.length
;
275 for(var i
= 0; i
< len
; i
+= 3)
277 var triplet
= (input
.charCodeAt(i
) << 16)
278 | (i
+ 1 < len
? input
.charCodeAt(i
+1) << 8 : 0)
279 | (i
+ 2 < len
? input
.charCodeAt(i
+2) : 0);
280 for(var j
= 0; j
< 4; j
++)
282 if(i
* 8 + j
* 6 > input
.length
* 8) output
+= b64pad
;
283 else output
+= tab
.charAt((triplet
>>> 6*(3-j
)) & 0x3F);
290 * Convert a raw string to an arbitrary string encoding
292 function rstr2any(input
, encoding
)
294 var divisor
= encoding
.length
;
295 var remainders
= Array();
296 var i
, q
, x
, quotient
;
298 /* Convert to an array of 16-bit big-endian values, forming the dividend */
299 var dividend
= Array(Math
.ceil(input
.length
/ 2));
300 for(i
= 0; i
< dividend
.length
; i
++)
302 dividend
[i
] = (input
.charCodeAt(i
* 2) << 8) | input
.charCodeAt(i
* 2 + 1);
306 * Repeatedly perform a long division. The binary array forms the dividend,
307 * the length of the encoding is the divisor. Once computed, the quotient
308 * forms the dividend for the next step. We stop when the dividend is zero.
309 * All remainders are stored for later use.
311 while(dividend
.length
> 0)
315 for(i
= 0; i
< dividend
.length
; i
++)
317 x
= (x
<< 16) + dividend
[i
];
318 q
= Math
.floor(x
/ divisor
);
320 if(quotient
.length
> 0 || q
> 0)
321 quotient
[quotient
.length
] = q
;
323 remainders
[remainders
.length
] = x
;
327 /* Convert the remainders to the output string */
329 for(i
= remainders
.length
- 1; i
>= 0; i
--)
330 output
+= encoding
.charAt(remainders
[i
]);
332 /* Append leading zero equivalents */
333 var full_length
= Math
.ceil(input
.length
* 8 /
334 (Math
.log(encoding
.length
) / Math
.log(2)))
335 for(i
= output
.length
; i
< full_length
; i
++)
336 output
= encoding
[0] + output
;
342 * Encode a string as utf-8.
343 * For efficiency, this assumes the input is valid utf-16.
345 function str2rstr_utf8(input
)
351 while(++i
< input
.length
)
353 /* Decode utf-16 surrogate pairs */
354 x
= input
.charCodeAt(i
);
355 y
= i
+ 1 < input
.length
? input
.charCodeAt(i
+ 1) : 0;
356 if(0xD800 <= x
&& x
<= 0xDBFF && 0xDC00 <= y
&& y
<= 0xDFFF)
358 x
= 0x10000 + ((x
& 0x03FF) << 10) + (y
& 0x03FF);
362 /* Encode output as utf-8 */
364 output
+= String
.fromCharCode(x
);
366 output
+= String
.fromCharCode(0xC0 | ((x
>>> 6 ) & 0x1F),
369 output
+= String
.fromCharCode(0xE0 | ((x
>>> 12) & 0x0F),
370 0x80 | ((x
>>> 6 ) & 0x3F),
372 else if(x
<= 0x1FFFFF)
373 output
+= String
.fromCharCode(0xF0 | ((x
>>> 18) & 0x07),
374 0x80 | ((x
>>> 12) & 0x3F),
375 0x80 | ((x
>>> 6 ) & 0x3F),
382 * Encode a string as utf-16
384 function str2rstr_utf16le(input
)
387 for(var i
= 0; i
< input
.length
; i
++)
388 output
+= String
.fromCharCode( input
.charCodeAt(i
) & 0xFF,
389 (input
.charCodeAt(i
) >>> 8) & 0xFF);
393 function str2rstr_utf16be(input
)
396 for(var i
= 0; i
< input
.length
; i
++)
397 output
+= String
.fromCharCode((input
.charCodeAt(i
) >>> 8) & 0xFF,
398 input
.charCodeAt(i
) & 0xFF);
403 * Convert a raw string to an array of big-endian words
404 * Characters >255 have their high-byte silently ignored.
406 function rstr2binb(input
)
408 var output
= Array(input
.length
>> 2);
409 for(var i
= 0; i
< output
.length
; i
++)
411 for(var i
= 0; i
< input
.length
* 8; i
+= 8)
412 output
[i
>>5] |= (input
.charCodeAt(i
/ 8) & 0xFF) << (24 - i
% 32);
417 * Convert an array of big-endian words to a string
419 function binb2rstr(input
)
422 for(var i
= 0; i
< input
.length
* 32; i
+= 8)
423 output
+= String
.fromCharCode((input
[i
>>5] >>> (24 - i
% 32)) & 0xFF);
428 * Calculate the SHA-1 of an array of big-endian words, and a bit length
430 function binb_sha1(x
, len
)
433 x
[len
>> 5] |= 0x80 << (24 - len
% 32);
434 x
[((len
+ 64 >> 9) << 4) + 15] = len
;
443 for(var i
= 0; i
< x
.length
; i
+= 16)
451 for(var j
= 0; j
< 80; j
++)
453 if(j
< 16) w
[j
] = x
[i
+ j
];
454 else w
[j
] = bit_rol(w
[j
-3] ^ w
[j
-8] ^ w
[j
-14] ^ w
[j
-16], 1);
455 var t
= safe_add(safe_add(bit_rol(a
, 5), sha1_ft(j
, b
, c
, d
)),
456 safe_add(safe_add(e
, w
[j
]), sha1_kt(j
)));
464 a
= safe_add(a
, olda
);
465 b
= safe_add(b
, oldb
);
466 c
= safe_add(c
, oldc
);
467 d
= safe_add(d
, oldd
);
468 e
= safe_add(e
, olde
);
470 return Array(a
, b
, c
, d
, e
);
475 * Perform the appropriate triplet combination function for the current
478 function sha1_ft(t
, b
, c
, d
)
480 if(t
< 20) return (b
& c
) | ((~b
) & d
);
481 if(t
< 40) return b
^ c
^ d
;
482 if(t
< 60) return (b
& c
) | (b
& d
) | (c
& d
);
487 * Determine the appropriate additive constant for the current iteration
491 return (t
< 20) ? 1518500249 : (t
< 40) ? 1859775393 :
492 (t
< 60) ? -1894007588 : -899497514;
496 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
497 * to work around bugs in some JS interpreters.
499 function safe_add(x
, y
)
501 var lsw
= (x
& 0xFFFF) + (y
& 0xFFFF);
502 var msw
= (x
>> 16) + (y
>> 16) + (lsw
>> 16);
503 return (msw
<< 16) | (lsw
& 0xFFFF);
507 * Bitwise rotate a 32-bit number to the left.
509 function bit_rol(num
, cnt
)
511 return (num
<< cnt
) | (num
>>> (32 - cnt
));
516 <p ALIGN=RIGHT
><a href=
"?LOGOUT">Logout
</a></p>
517 <p ALIGN=RIGHT
><a href=
"ChangePassword.html">Change Password
</a></p>
518 <h1 align=CENTER
>Private data: You are now logged in as
<em><script type=
"text/ssperl" CGI='$
LOGINUSERNAME=
""'
>$LOGINUSERNAME
</script></em></h1>
519 <p align=CENTER
>Logged in from
<script type=
"text/ssperl" CGI='$
LOGINIPADDRESS=
"" $
LOGINPATH=
"" $SESSIONTYPE'
>
520 "$LOGINIPADDRESS $LOGINPATH <br />Session type: $SESSIONTYPE"
522 <p align=CENTER
><a href=
"manual.html">Go to manual
</a></p>
524 <A NAME=
"SESSIONTICKETS"><H2 ALIGN=
"CENTER">SERVER SIDE SESSIONS AND ACCESS CONTROL (LOGIN)
</H2></A>
526 An infrastructure for user acount authorization and file access control
527 is available. Each request is matched against a list of URL path patterns.
528 If the request matches, a Session Ticket is required to access the URL.
529 This Session Ticket should be present as a CGI parameter or Cookie:
532 CGI: SESSIONTICKET=
<value
><br />
533 Cookie: CGIscriptorSESSION=
<value
></p>
535 The example implementation stores Session Tickets as files in a local
536 directory. To create Session Tickets, a Login request must be given
537 with a LOGIN=
<value
> CGI parameter, a user name and a (doubly hashed)
538 password. The user name and (singly hashed) password are stored in a
539 PASSWORD ticket with the same name as the user account (name cleaned up