 Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me. |
Forum Index : Microcontroller and PC projects : WebMite password login
| Author | Message | ||||
| Malibu Senior Member  Joined: 07/07/2018 Location: AustraliaPosts: 228 |
G'day all, Just having a fiddle around with password logins for WebMite pages. This code is all of 20 minutes work as my proof of concept, but I thought it might be something worth while to put out there to get some feed-back, suggested improvements, ideas... etc, etc... A really simple password login to protect web pages on a WebMite. I'm not talking about 64bit security with validation and such, but just a simple deterant that would stop any 12yo with an i-phone that could stumble onto a 'setup' page and play games (the garden controller for example) by changing settings and having a good giggle about it. WebMite : const SetPwd = "1234" 'Set the password WEB TCP INTERRUPT WebInterrupt do Watchdog 20000 loop sub WebInterrupt local Integer ConnNum local integer ConnData(512) for ConnNum = 1 to mm.info(Max Connections) longstring clear ConnData() web tcp read ConnNum, ConnData() if llen(ConnData()) > 0 then longstring print ConnData() ' is the password string attached with the CORRECT password? if linstr(ConnData(), "GET /index.html?pwd=" + SetPwd + " HTTP") > 0) then WEB TRANSMIT PAGE ConnNum, "/index.html" ' yes, show the normal page elseif linstr(ConnData(), "GET /index.html") > 0) then 'no password attached? WEB TRANSMIT PAGE ConnNum, "/password.html" 'show the password page instead else WEB TRANSMIT CODE ConnNum, 404 ' for good house keeping endif endif next ConnNum end sub Normal Index.html code <html> <body> <h1>Index Page</h1> Password has been accepted... The Password is... {pwd} </body> </html> the Password.html code <html> <body> <h1>Enter the Password</h1> <form action="/index.html"> <label>Password:</label> <input type="text" id="pwd" name="pwd" minlength="4"> <input type="submit"> </form> </body> </html> It's a simple concept... try and get the index page with no password, or the wrong password and it gets re-directed to the password input page. Put in the password and the HTTP request is re-sent WITH the correct password in the string, and it will send out the 'normal' index page. (Otherwise, it keeps loading the password page) There's a bunch more tweaking and fiddling to do, but I thought I'd put it out there for some thoughts and feed-back  [Edit Normaly, password input type would be "password" rather than "text", but for now simple text does what I need] Edited 2024-07-23 16:58 by Malibu John |
||||
| Malibu Senior Member Joined: 07/07/2018 Location: AustraliaPosts: 228 |
More tweaking and I'm pretty happy with the way it's turned out, if someone's looking for a similar bit of coding... A little more work on the original but now, a PassKey is required. If ANY page is requested with no PassKey present, the login page is sent. Enter the correct password, a 25 bit random PassKey is generated and shuffled back-and-forth to all the pages. If that PassKey is present, it's a genuine login, otherwise you need to enter the correct password again. Also, there's a timeout timer so if a web page is not requested for a set-time, it's an instant log-out, and back to the login page. Files attached if anyone wants to play and/or improve... Login Ver 2.zip John |
||||
Geoffg Guru  Joined: 06/06/2011 Location: AustraliaPosts: 3194 |
That looks brilliant. I'm going to try integrating it with the Garden Watering Controller. If it works OK you could then punch a hole in your firewall and put the controller on the Internet and tweak your settings from anywhere in the world. Neat. Geoff Geoff Graham - http://geoffg.net |
||||
| Malibu Senior Member Joined: 07/07/2018 Location: AustraliaPosts: 228 |
Thanks Geoff, happy to hear you could make us of it  There is a flaw in my example project, in that it's a single login system. If one person logs in, the passkey is generated, but if a second person logs in, a NEW passkey is generated and so the first person's passkey becomes invalid, and is logged out of the system. First person logs in again, second is kicked out, etc, etc... This can lead to a 'battle for the passkey', with the winner being the last one to log in. The only solution I can think of is a file with Names/Passwords with an array of passkey generated for each person. The name could be appended to the passkey with an array element assigned to each correct login passkey . ie: In theory, you could have as many logins up to the maximum array number. A bit more work is needed on that idea, but for my simple use, it wasn't warranted. I'd be interested to see what you come up with though Edit: OK, so I just found another flaw... Pesky Opera (90% of the time) sends a GET /favicon HTTP request straight after recieving the login data from the password page. Straight away, the passkey becomes invalid and it's back to the login page. Opera... the best way to break an internet connection!  Edited 2024-08-01 16:08 by Malibu John |
||||
| Malibu Senior Member Joined: 07/07/2018 Location: AustraliaPosts: 228 |
So, I've had another crack at it - I'm a dog with a bone sometimes... plus, I don't like unfinished business The latest version : - Password page has an extra field for User Name as well as the normal Password field. - Has a user list as a text file, so when the program starts, it reads the list and dynamically creates arrays depending on how many are on the list. This was created in NotePad and transfered over. You can change the list, but just keep the format the same as what this one is. format is 'AccessRights-UserName:Password' - Can have multiple logins (in theory, up to 99, but depends on memory usage). Can be changed with a little string manipulation. - Any of the users can log on at any time, but that user can ONLY logon once. No multiple use of logins. - Timeout based on Epoch time, rather than an interrupt. - User access rights. A user is given access rights and can only access the pages that come with those rights. 1=admin, 2=some rights, 3=only access to index page (it all needs a bit more work though) - Any shifty text editing of the HTTP/URL in the web-browser is detected and the user is logged out and back into the password page ToDo: a user add/remove page, a log-out button (right now, it just times out) and some better/more HTML messages to be displayed. Sorry, there's ZERO comments this time! All up, works pretty good I think. Hope it's put to some good use Login Ver 3.zip John |
||||
 Print this page |
