I am trying to make a nocatsplash page- it uses HTML code to check a password and redirect visitors if a correct password is entered

Question

I currently have a working code that just allows users through once they click a button to accept terms. I would like to integrate a password field and accept button that would only allow someone through if the password is correct.

Here is my current working code with the simple button:

Agree to Connect:
<br>
<br>
<form method="post" id="login" action="http://10.0.0.1:5280/">
<input type="hidden" name="accept_terms" value="yes">
<input type="hidden" name="redirect" value="http://www.anderson1216.com/wifi-success.html">
<input type="hidden" name="mode_login">
<input type="submit" value="Accept Terms of Use and Connect">
</form>
<br>
//agreement text here
<br>
<br>
We thank you for your understanding and cooperation.
<br>
<br>
<form method="post" id="login" action="http://10.0.0.1:5280/">
<input type="hidden" name="accept_terms" value="yes">
<input type="hidden" name="redirect" value="http://www.anderson1216.com/wifi-success.html">
<input type="hidden" name="mode_login">
<input type="submit" value="Accept Terms of Use and Connect">
</form>

this is a simple password form that I found:

<head>
<script type="text/javascript">
function isValid(){
var password = document.getElementById('password').value;
if (password == "password123")
{alert('Correct!')
else
{alert('Wrong Password')}
}
</script>
</head>

<form name="PasswordField" action="">
Password:
<input type="password" id="password" name="password">
<input type="button" value="Log in" onclick="isValid();">
</form>

In order for the code to work, the first statement from the first block of code needs to be included somewhere to tell the router that the person accepted, then I want it to redirect to another website after they click the button. No alert is needed for a correct password, just the incorrect ones. Any suggestions?

Answer 1

NoCatSplash does not support authentication. Any user could simply bypass your authentication by manually posting to http://10.0.0.1:5280/

If you are serious about authentication, you should use another method, such as using a Radius server. This could even be installed on the router itself, given that it has good enough hardware to support it.

Answer 2

It looks like you are wanting to put this on a home router, possibly as a landing page? If you can elaborate a bit more I might be able to provide more help.

If you are trying to prevent someone from accessing the site unless they have know a secret password, then this is not the way to go about it. You would want to authenticate the user on the server side, not the client side, because anyone with limited knowledge of JavaScript can spoof authentication on the client side using the developer console.

If, however, you are just wanting to make certain that a human is agreeing to the terms of the agreement by entering in an arbitrary known password, then this method is fine.

Answer 3

I would agree with gavrig above to hash and salt them for safety.

But if i got your question right, here's a fiddle i put together to solve it. I've mixed jquery and javascript intentionally.

Agree to Connect:
<br>
<br>
//agreement text here
<br>
<br>
We thank you for your understanding and cooperation.
<br>
<br>
<form method="post" id="login" action="http://10.0.0.1:5280/">
<input type="password" id="password" name="password">
<input type="hidden" name="accept_terms" value="yes">
<input type="hidden" name="redirect" value="http://www.anderson1216.com/wifi-success.html">
<input type="hidden" name="mode_login">
<input type="submit" value="Accept Terms of Use and Connect">
</form>

$('form').on('submit', function(e){
    e.preventDefault();
  var password = document.getElementById('password').value;
        if (password == "password123")
        {
            this.submit();
        } 
    else
        {
            alert('Wrong Password');
        }

});

https://jsfiddle.net/tL7qcc5n/2/

Answer 4

I would SERIOUSLY advise not having the password listed in the js!! This is able to be seen by anyone looking at the source code. You need to implement a more secure password system with a hashed and salted password held in a secure database and checked via an AJAX call or PHP.