Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   heating gps

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

Changes

RevisionDateWhoCommit message
129:6d9bffc72676 2 weeks ago andrewboyson Tidied up connection checks default tip
128:fc9708e1d17c 3 weeks ago andrewboyson Added connection status
127:bd6dd135009d 7 weeks ago andrewboyson Amalgamated Reply into Poll function
126:6b547c86da6e 3 months ago andrewboyson Updated login module following change to random module.
125:772948168e4f 4 months ago andrewboyson Updated net library
124:a2de6c22f85e 4 months ago andrewboyson Corrected spelling of governer to governor.
123:06de83222fda 4 months ago andrewboyson Updated http module in the net library
122:cd3f391ac8aa 4 months ago andrewboyson Updated http
121:811adea8a6a4 4 months ago andrewboyson Changed nav padding to 0.4 from 0.5
120:85a4d8f7517d 4 months ago andrewboyson Updated Last Reset page
119:794e5985d6c8 4 months ago andrewboyson Restart module in lpc1768 library updated
118:53430a2a2595 4 months ago andrewboyson Updated lpc1768 library
117:4f1fe03715ca 4 months ago andrewboyson Updated fault module
116:e2f4bf715af7 4 months ago andrewboyson Updated Fault module
115:24cb6e84ddd6 4 months ago andrewboyson Changed firmware reset to call the new restart routine rather than directly calling the semihost reset.
114:900e33dfa460 4 months ago andrewboyson Added ability to force a new password
113:23507d14f927 4 months ago andrewboyson Renamed 'core' to 'common'
112:f29bb9b99059 4 months ago andrewboyson Changed all names from 'derived' to 'this'
111:aaa858678e34 4 months ago andrewboyson Corrected bug where postComplete was not set true in the event of there not being a post.
110:8ab752842d25 4 months ago andrewboyson Tidied. About to rename to web.
109:3e82f62c7e1f 4 months ago andrewboyson Tidied names from http to web
108:91bfb40e7487 4 months ago andrewboyson Renamed WebBaseInit to WebInit
107:8ce0c528e2e5 4 months ago andrewboyson Tidied after merge
106:7cff473be687 4 months ago andrewboyson Tidied
105:43ef124233cd 4 months ago andrewboyson Removed Server name
104:40097d08edd5 4 months ago andrewboyson Renamed WebServerDerived to WebServer
103:91194cc19bbb 4 months ago andrewboyson Renamed everything from Http to Web
102:ce6770cb3488 4 months ago andrewboyson Moved http module to the net library
101:07234e772d31 4 months ago andrewboyson Removed unnecessary reference to 1-wire library's DS18B20.h module.
100:4a79e85d49ef 4 months ago andrewboyson Moved 1-wire http page over to 1-wire library to avoid issues when the file is not required
99:5aa33c306167 4 months ago andrewboyson Moved 1-wire into a separate library and moved the 1-wire page here with an option.
98:4e099563d5b9 4 months ago andrewboyson Encode '+' in XmlHttpRequest in line with what is automatically done by a form input.; Added routines to read hex numbers as signed integer.; Added date local id.
97:d9a821ab0f3d 4 months ago andrewboyson Converted net trace to use the Ajax class
96:eb2eb75bad0f 5 months ago andrewboyson Added Ajax class to net6 script
95:8c9dda8a0caf 5 months ago andrewboyson Used class to encapsulate ajax part of js in base.
94:d7226b2c14b6 5 months ago andrewboyson Used a class for the utc time to handle both the server 'real' time and a pseudo 'next leap' time. Also split the includes into building blocks so that many of the js scripts could be made up from them.
93:8995561d995f 5 months ago andrewboyson Reduced dependency of lpc1768-base on http by moving semihost file list routine into http-base
92:9ce59a5b6032 5 months ago andrewboyson Modified 'skip to main content' to 'skip to content'
91:9a125082f53c 5 months ago andrewboyson Added tab to main content to nav bar for keyboard users
90:9cc77a16b6c5 5 months ago andrewboyson Enabled focus on toggles and reinstated outline for keyboard users
89:615fb951df69 5 months ago andrewboyson Made Ipv6 tab use ajax
88:2857259fc2b4 5 months ago andrewboyson Made ARP and DNS entries in IPv6 and IPv4 pages update by ajax
87:c51478679090 5 months ago andrewboyson Moved log uart from net trace page to log page.
86:f3c9beec4ee7 5 months ago andrewboyson Split the NET page into general net, net ipv4 and net ipv6. Also made the arp and dns update through ajax.
85:fcffd89028c0 5 months ago andrewboyson Removed ugly blue outline from inputs with focus. Will need to rethink this as ultimately want the tab key to work.
84:4ed751de613e 5 months ago andrewboyson Added option for a suffix to an input
83:0d956edd55b7 5 months ago andrewboyson Capitalised some buttons
82:980a393ff4dc 5 months ago andrewboyson Added max age to sid cookie.
81:4551f2e0e79b 5 months ago andrewboyson First go at using base64 encoding for the sid
80:9ea202546e7f 5 months ago andrewboyson Modified login to generate a 64 bit session id.
79:e4cf94f9c9b2 5 months ago andrewboyson Modified the session id in login to use a 64 bit random number from the new random module; the previous 32bit number was probably not long enough to preclude brute forcing the sid.
78:b18812b429f7 5 months ago andrewboyson Fixed bug with the login session id
77:4689596a2f3f 5 months ago andrewboyson Changed from using float to using flex for creating left and right aligned lines.
76:bb34dbb26aae 6 months ago andrewboyson Comments improved
75:3831a4b5a230 6 months ago andrewboyson Changed login css to give a 'nicer' look
74:ac4d549dc1c5 6 months ago andrewboyson Added autofocus to login form
73:4e769dbbf9f2 6 months ago andrewboyson Included delay after submitting login page to make brute force attacks more difficult.
72:1ba60063c643 6 months ago andrewboyson Modified login module so that a hash, rather than the password, is stored.
71:d6aacc7d62ab 6 months ago andrewboyson Tidied up the login module. In particular ensured that an empty sid could not be matched using a cookie with an empty value.
70:8dcc8c6ffb81 6 months ago andrewboyson Corrected bug with cookie name