0

I currently have a working code that just allows users through once they click a button to accept terms. I would like to integrate a password field and accept button that would only allow someone through if the password is correct.

Here is my current working code with the simple button: 

Agree to Connect:
<br>
<br>
<form method="post" id="login" action="http://10.0.0.1:5280/">
<input type="hidden" name="accept_terms" value="yes">
<input type="hidden" name="redirect" value="http://www.anderson1216.com/wifi-success.html">
<input type="hidden" name="mode_login">
<input type="submit" value="Accept Terms of Use and Connect">
</form>
<br>
//agreement text here
<br>
<br>
We thank you for your understanding and cooperation.
<br>
<br>
<form method="post" id="login" action="http://10.0.0.1:5280/">
<input type="hidden" name="accept_terms" value="yes">
<input type="hidden" name="redirect" value="http://www.anderson1216.com/wifi-success.html">
<input type="hidden" name="mode_login">
<input type="submit" value="Accept Terms of Use and Connect">
</form>

this is a simple password form that I found:

<head>
<script type="text/javascript">
function isValid(){
var password = document.getElementById('password').value;
if (password == "password123")
{alert('Correct!')
else
{alert('Wrong Password')}
}
</script>
</head>

<form name="PasswordField" action="">
Password:
<input type="password" id="password" name="password">
<input type="button" value="Log in" onclick="isValid();">
</form>

In order for the code to work, the first statement from the first block of code needs to be included somewhere to tell the router that the person accepted, then I want it to redirect to another website after they click the button. No alert is needed for a correct password, just the incorrect ones. Any suggestions?

John James Anderson
  • 23
  • 3

4 Answers4

0

I would SERIOUSLY advise not having the password listed in the js!! This is able to be seen by anyone looking at the source code. You need to implement a more secure password system with a hashed and salted password held in a secure database and checked via an AJAX call or PHP.

gavgrif
  • 15,194
  • 2
  • 25
  • 27
0

It looks like you are wanting to put this on a home router, possibly as a landing page? If you can elaborate a bit more I might be able to provide more help.

If you are trying to prevent someone from accessing the site unless they have know a secret password, then this is not the way to go about it. You would want to authenticate the user on the server side, not the client side, because anyone with limited knowledge of JavaScript can spoof authentication on the client side using the developer console.

If, however, you are just wanting to make certain that a human is agreeing to the terms of the agreement by entering in an arbitrary known password, then this method is fine.

BayssMekanique
  • 894
  • 1
  • 14
  • 27
  • Yes, I am indeed just making a splash page for a router and want this password so that not just anyone can access the internet. If this method is OK assuming that the average user wouldn't know how to/ try to get the password or bypass the page, then this will work fine unless there is anything else that I should do. I implement this by simply placing an html module on my website page, then the router caches that page locally to display to guests. – John James Anderson Feb 13 '16 at 05:38
  • This should work then. There are also more secure ways to do it using CGI scripts which will allow tracking approved MAC addresses so that users don't constantly get this prompt. – BayssMekanique Feb 14 '16 at 05:32
0

I would agree with gavrig above to hash and salt them for safety.

But if i got your question right, here's a fiddle i put together to solve it. I've mixed jquery and javascript intentionally.

Agree to Connect:
<br>
<br>
//agreement text here
<br>
<br>
We thank you for your understanding and cooperation.
<br>
<br>
<form method="post" id="login" action="http://10.0.0.1:5280/">
<input type="password" id="password" name="password">
<input type="hidden" name="accept_terms" value="yes">
<input type="hidden" name="redirect" value="http://www.anderson1216.com/wifi-success.html">
<input type="hidden" name="mode_login">
<input type="submit" value="Accept Terms of Use and Connect">
</form>

$('form').on('submit', function(e){
    e.preventDefault();
  var password = document.getElementById('password').value;
        if (password == "password123")
        {
            this.submit();
        } 
    else
        {
            alert('Wrong Password');
        }

});

https://jsfiddle.net/tL7qcc5n/2/

Giri
  • 565
  • 2
  • 9
  • I was able to make your javascript portion of this code work by adding the line: – John James Anderson Feb 13 '16 at 06:01
  • EDIT- after testing it on the router, it redirects and allows anyone to connect through with anything typed in the field, not just the set password. Any idea on how to fix it? – John James Anderson Feb 13 '16 at 23:08
  • Did you include jquery? – Giri Feb 14 '16 at 23:41
  • I thought that the code above included jquery, but I wouldn't know for sure since I am not proficient with HTML or JavaScript. If I run that code in the jsfiddle module, it works, but I went to another link that ran the jsfiddle without the frame, copied that to the router page with the same result. I can't seem to figure out why. @Giri – John James Anderson Feb 15 '16 at 19:39
  • Add this inbetween head tags. – Giri Feb 15 '16 at 21:46
  • How exactly would salting and hashing the password help? Any user can just bypass the authentication all together by posting the form to http://10.0.0.1:5280/ manually. – Daniele Testa May 03 '21 at 11:48
0

NoCatSplash does not support authentication. Any user could simply bypass your authentication by manually posting to http://10.0.0.1:5280/

If you are serious about authentication, you should use another method, such as using a Radius server. This could even be installed on the router itself, given that it has good enough hardware to support it.

Daniele Testa
  • 1,538
  • 3
  • 16
  • 34