Login Coder is the absolute best secure client side login system for private websites with a small membership. It offers members unique combinations of multiple page destinations; both local and on other domains. Members can share a username provided their passwords are different.
Login Coder has a JavaScript driven user interface which can be bypassed by manualy editing the relevant details directly into a plain text file. This database is never stored on the internet as that would remove the point of this being a secure system. Instead, an encrypted file is downloaded into the site visitors browser and only decoded if the correct username and password are supplied.
The client side data does not contain any member information; no user names or passwords. The list of member only URLs is encrypted randomly and will never be generated the same way twice in anyone's lifetime.
Overview: Member and destination information, stored in a file named members.js as plain text with JavaScript formatting, is loaded into the Login Coder GUI. The information can be edited if necessary and a new data list for the members.js file created for use later.
When all the user and destination information is correct, the Generate button creates a securely encrypted block of data to be saved in a file named login.js. Both this file and a web page containing the contents of login.htm are uploaded to a website with the appropriate member only pages. Members are now able to login and access private areas of your site.
Detailed Explanation Of Login.htmlMore
Login.js contains two JavaScript arrays, URL and MEM.
URL is a straight forward one dimentional array with each array element encrypted with a 31 bit password using a
Linear congruential generator; a random number generator.
Each array element is decrypted into two parts: the name or title of a member only page and the URL. (address)
The password for encryption of the URL array is a randomly generated 31 bit number used as the seed value for the random generator.
The MEM array is two dimentional with each element containing 4 sub elements; USER, PASS, KEY and TITLES.
USER is the result of a 31 bit hash function with a base of 13. That is, each character in the USER or member name is converted to a base 13 number and since there are characters greater than 12, information is lost and the hash value cannot be reverse engineered to produce the original name.
PASS is also the result of a hash function with a base of 13 derived from the entered password.
KEY is generated by XORing the hash of the password base 17 and the randomly generated seed number used to decode the URL array.
TITLES is a comma delimeted list of permitted member pages, for one specific member, encrypted by random numbers generated from a seed of the hashed password base 17.
The sequence of events is as follows:
The entered USER or member name is hashed with a base of 13 to produce a 31 bit number which is searched for in the MEM array. Every hash value that matches is added to a temporary list.
The temporary list is searched for a matching PASS value and the base 13 hash of the entered password.
When a match has been found for USER and PASS, the seed number for decoding the URL array is calculated by XORing the password hash base 17 and the KEY value.
The TITLE list is decoded using the random seed value of the password hashed with a base of 17.
The final step is to list all the member URLS by title which are stored in the current members TITLES list.
At no time were either the user name or password actively used to compare with a text list; only the nonreversible product of a hash function.
Even though the URL list is randomly encrypted and each USER is able to decode it with a combination of their password and the stored KEY value, it is impossible to use any of the KEY values alone to determine the decode value.
eg:
hash1 - key1 = decode |
511 - 123 = 388
hash2 - key2 = decode |
1023 - 635 = 388
There is no way to use key1 and key2 to produce the decode value.
More
Login Coder was originally created by D10n in May 1998 and submitted for puplication on the JavaScriptSource website. It is large, bulky and limited when compared to the slim line approcah taken by this 2010 version.
Colin Fiat Aug 2010
Ball In A Box Productions