Corrected documentation
[CGIscriptor.git] / Private / Login.html
blob24f516e3d1fdf4d3cb057105ab7725cb06be6f4d
1 <html>
2 <head>
3 <title>Login</title>
4 <META CONTENT="text/ssperl; CGI='$LOGINTICKET $REMOTE_ADDR'">
5 <SCRIPT type="text/javascript" LANGUAGE="JavaScript">
6 <SCRIPT TYPE="text/ssperl" SRC="./JavaScript/LoginPage.js"></SCRIPT>
7 </script>
9 </head>
10 <body>
11 <p>
12 <table width='100%'><tr>
13 <td style='text-align: left'><a href="/index.html">Home</a></td>
14 <td style='text-align: right'><a href="?LOGOUT">Logout</a></td>
15 </tr></table>
16 </p>
17 <p ALIGN=RIGHT><a href="index.html">Private Home page</a></p>
18 <h1 align=CENTER>Example of Login procedure</h1>
19 <h2 align=CENTER><div id="WARNING" style="color: Red">You need to have JavaScript and cookies enabled to use the login system</div></h2>
20 <p>
21 Simple and very unsafe example login page for CGIscriptor.pl. The password is first hashed with the
22 username and site specific salt (as it is used to store the password on-site). Then it is hashed with a random,
23 one-time salt. Effectively, creating a one-time password. Only the last value is send to the server.
24 The server has both salt values stored. It will ignore anything except the username, hashed password, and
25 loginticket.
26 </p>
27 <p>
28 The Session Ticket information is stored in <a href="http://www.xul.fr/en/html5/sessionstorage.php">
29 <em>sessionStorage</em></a> with key <em>CGIscriptorPRIVATE</em>. Older browsers might not implement
30 <a href="http://www.xul.fr/en/html5/sessionstorage.php"><em>sessionStorage</em></a>, or it might be
31 turned off in the <a href="http://kb.mozillazine.org/Dom.storage.enabled"><em>dom.storage.enabled</em></a>
32 parameter. There is a <a href="/PrivateTutorial.html">Tutorial of the authorization
33 application</a>.
34 </p>
36 <!-- UNCOMMENT for use in a local version of the Private/Login.html web page. -->
37 <!-- Replace <form > line with commented version -->
38 <!-- Replace http://localhost:8080/Private/index.html with the correct URL of the login page -->
39 <!-- <form method="POST" action="http://localhost:8080/Private/index.html" id="LoginForm" onSubmit='LoginSubmit();setSessionParameters();true'> -->
40 <form method="POST" action="" id="LoginForm" onSubmit='LoginSubmit();setSessionParameters();true'>
41 <div style="margin-left: 30%; margin-right: 30%; text-align: right">
42 <table>
43 <tr><td>Username:</td><td><input type="text" name="CGIUSERNAME" id="CGIUSERNAME" size="60" /></td></tr>
44 <tr><td>Password:</td><td><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="60" /></td></tr>
45 <tr><td></td><td style="text-align: left"><input type="submit" value="Login" />
46 <input type="button" id="revealpassword" value="Show Passwords" onClick="this.value=togglePasswords('Hide', 'Show', this.value);true" /></td></tr>
47 </table>
48 <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="--" />
49 </div>
50 </form>
51 <center>You have only 10 minutes to log in. Reload the page if you waited longer</center>
52 <p>Check IP address <input type="checkbox" onChange='var spanID = document.getElementById("IPADDRESSTEST");if(this.checked){spanID.style.display = "inline"} else
53 {spanID.style.display = "none";}; true;'/>
54 <span id=IPADDRESSTEST style="display: none;">Your IP address appears to be: <b><input type=text id=CLIENTIPADDRESS value="<SCRIPT TYPE="text/ssperl" CGI='$REMOTE_ADDR'>$REMOTE_ADDR</SCRIPT>" /></b>.
55 Please <a href="http://www.vpngate.net/en/">check whether this is correct</a> (to avert Man-in-the-Middle attacks).</span></p>
56 <p>
57 There are three default test accounts, all three have password <em>testing</em>:
58 <ul>
59 <li>test: A SESSION ticket account</li>
60 <li>testip: An IPADDRESS ticket account</li>
61 <li>testchallenge: A CHALLENGE ticket account</li>
62 </ul>
63 </p>
65 <p>
66 The Salt and Ticket values are all created using SHA256 on 64 Byte of output from <em>/dev/urandom</em> in HEX.
67 </p>
68 <FONT STYLE="font-size:small">
69 <p>
70 The example Login page is vulnerable to a Man-in-the-Middle (MITM) attack.
71 There is no real protection against this attack without end-to-end encryption and
72 authentication. See the <a href="Private/manual.html">Manual</a> (login required).
73 </p>
74 <p> Example Login page for CGIscriptor.pl<br />
75 Copyright &copy; 2012-2014 R.J.J.H. van Son<br />
76 This program is free software: you can redistribute it and/or modify
77 it under the terms of the GNU General Public License as published by
78 the Free Software Foundation, either version 3 of the License, or
79 (at your option) any later version.
80 This program is distributed in the hope that it will be useful,
81 but WITHOUT ANY WARRANTY; without even the implied warranty of
82 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
83 GNU General Public License for more details.<br />
84 You should have received a copy of the GNU General Public License
85 along with this program. If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.
86 </p>
87 <p> A JavaScript implementation of the SHA family of hashes, as defined in FIPS
88 PUB 180-2 as well as the corresponding HMAC implementation as defined in
89 FIPS PUB 198a<br />
90 Version 1.3 Copyright Brian Turek 2008-2010
91 Distributed under the BSD License<br />
92 See <a href="http://jssha.sourceforge.net/">http://jssha.sourceforge.net/</a> for more information<br />
93 Several functions taken from Paul Johnson
94 </p>
95 </FONT>
97 <!-- UNCOMMENT for use in a local version of the Private/Login.html web page. -->
98 <!-- Replace http://localhost:8080/Private/index.html with the correct URL of the login page -->
99 <!-- <iFrame id="loginFrame" src="http://localhost:8080/Private/index.html" hidden>Login frame</iFrame> -->
100 </body>
101 </html>