Home Articles FAQs XREF Games Software Instant Books BBS About FOLDOC RFCs Feedback Sitemap
irt.Org
#

Q600 Is there any way to code password in a cookie so no one can read it?

You are here: irt.org | FAQ | JavaScript | Cookie | Q600 [ previous next ]

The following shows a simple rot13 type coding:

<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript"><!--
var coding = 'ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMabcdefghijklmnopqrstuvwxyzabcdefghijklm';

function rot13(input) {
    if (!input) return '';
    for (var output = '',i=0;i<input.length;i++) {
        character = input.charAt(i);
        position = coding.indexOf(character);
        if (position > -1)
            character = coding.charAt(position + 13);
        output += character;
    }
    return output;
}

function Get_Cookie(name) {
    var start = document.cookie.indexOf(name+"=");
    var len = start+name.length+1;
    if ((!start) && (name != document.cookie.substring(0,name.length))) return null;
    if (start == -1) return null;
    var end = document.cookie.indexOf(";",len);
    if (end == -1) end = document.cookie.length;
    return unescape(document.cookie.substring(len,end));
}

function Set_Cookie(name,value,expires,path,domain,secure) {
    document.cookie = name + "=" +escape(value) +
        ( (expires) ? ";expires=" + expires.toGMTString() : "") +
        ( (path) ? ";path=" + path : "") +
        ( (domain) ? ";domain=" + domain : "") +
        ( (secure) ? ";secure" : "");
}

var today = new Date();
var expires = new Date(today.getTime() + (56 * 86400000));

function set() {
    Set_Cookie("userid",rot13(document.logonForm.userid.value),expires);
    Set_Cookie("password",rot13(document.logonForm.password.value),expires);
}

function get() {
    document.logonForm.userid.value = rot13(Get_Cookie("userid"));
    document.logonForm.password.value = rot13(Get_Cookie("password"));
}

//--></SCRIPT>
</HEAD>

<BODY onLoad="get()">

<FORM NAME="logonForm" onSubmit="return set();">
<P>Userid: <INPUT TYPE="INPUT" NAME="userid" VALUE="">
<P>Password: <INPUT TYPE="PASSWORD" NAME="password" VALUE="">
<P><INPUT TYPE="RESET"> <INPUT TYPE="SUBMIT">
</FORM>

</BODY>
</HTML>

The following was submitted by secURLinx

Self-encryption (or one-way encryption) of the password is the answer.

In your script, if the self-encrypted user-supplied password is equal to your known self-encrypted password then you can use the user-supplied password plain text as part of a variable to unlock something. (Select a suitable cookie example from elsewhere.)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 //EN">
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Copyright" content="Daniel de Lyon Limited">
<meta http-equiv="Author" content="Keith A Pegler">
<meta http-equiv="Description" content="Software implementation of the Data Encryption Standard (DES - FIPS PUB 46) written in JavaScript by Keith Pegler, Daniel de Lyon Limited, August 1999">
<meta http-equiv="Keywords" content="U.S. Department of Commerce, National Bureau of Standards,  Federal Information Processing Standards Publication, FIPS PUB 46, Data Encryption Standard, DES, D.E.S., Guidelines for Automatic Data Processing Physical Security and Risk Management, Category: ADP Operations, Sub-category: Computer Security">
<meta name="GENERATOR" content="secURLinx®">
<title>The Data Encryption Standard</title>
</head>

<script language="JavaScript1.2" src="http://users.computerweekly.net/securlinx/javascripts/securlinx_v100.js"></script>
<script language="JavaScript1.2" src="http://www.javascripts.com/repository/script370628_3_2.js"></script>
<script language="JavaScript1.2">

function encrypt()
{
  var cipher_returned = new Array(2);

  cipher_returned = des$_encrypt(
    document.pass["word"].value,
    document.encryption["key"].value
  );

  document.cipher[0].value = cipher_returned[0];
  document.cipher[1].value = cipher_returned[1];
}

</script>

<body bgcolor="#C0C0C0">

<h1 align="center">
<a href="http://users.computerweekly.net/securlinx/">
secURLinx®
</a>
</h1>

<form method="get" name="pass">
	<input type="text" size="8" name="word" onchange="changed(this);"> Password here
</form>

<form name="pbits">
	<input type="text" size="8" name="0">
	<input type="text" size="8" name="1">
	<input type="text" size="8" name="2">
	<input type="text" size="8" name="3">
	<input type="text" size="8" name="4">
	<input type="text" size="8" name="5">
	<input type="text" size="8" name="6">
	<input type="text" size="8" name="7">
	Password bits (read-only)
</form>

<form name="encryption">
	<input type="text" size="8" name="key" onchange="changed(this);">
	Encryption key here (same as password recommended)
</form>

<form name="kbits">
	<input type="text" size="8" name="1">
	<input type="text" size="8" name="2">
	<input type="text" size="8" name="3">
	<input type="text" size="8" name="4">
	<input type="text" size="8" name="5">
	<input type="text" size="8" name="6">
	<input type="text" size="8" name="7">
	<input type="text" size="8" name="8">
	Key bits (read-only)
</form>

<input type="submit" name="encrypt" value="Encrypt" onclick="changed(this);">

<form name="cipher">
	<input type="text" size="16" name="1">
	<input type="text" size="16" name="2">
	Cipher (read-only)
</form>

</body>
</html>

Feedback on 'Q600 Is there any way to code password in a cookie so no one can read it?'

©2018 Martin Webb