Return Code Experiment

Don't have a return code?

Get one from one of these pages:


Description:

This experiment started with the desire to add a return code to some of my pages. The user would be given a code at the bottom of the page they were currently on. Then, later, they could return to the index page, paste the return code to jump back to the page where they left off. The problem I had was that I wanted the codes to be pseudo-unique. I didn't want people sharing the same code online and using it over and over. So, I came up with this method which involves a "seed code" mapped to a URL. Each pseudo-unique return code is generated from a seed code which is attached to a specific page.

To start with, I created a JSON file called "urlcodes.json" which maps URLs to seed codes and looks like this:

Let's use the seed code for page1.html as our example: 1CbJf

The seed code contains only upper and lowercase letters and numbers. There are no special characters or duplicated characters. Each character in the code is unique. Since all 5 characters (1, C, b, J, f) are unique, the number of permutations is 5! (5 factorial). Therefore, there are 120 possible unique permutations of the code "1CbJf". The unique permutaions are "padded" with extra letters and numbers to create the psuedo-random return codes. The encoding method is like this: 1 # C # b # J # f #

Every other character in the pseudo-random return code is part of the actual seed code (or one of it's permutations). Random letters and numbers are used to fill the spots indicated by the pound symbols (#). So, a "padded" return code might look like this: JxfcCobb1F. When we remove every other character (starting with the second character) we end up with this code: JfCb1 which is also a valid permuation of the original seed code from the JSON file. They are the same letters and letter case as the original seed code but, they're in a different order. It is one of the 120 possible unique permutations of the code "1CbJf" and is therefore valid.

So, the Javascript functions take the return code given by the end-user, it extracts the "real" code from the padded code which contains extra letters and numbers. It checks to see if it's a valid permuation of the seed code we have in the JSON file. If it is, then the user is directed to the URL. If not, they are told that the code is not valid.

By padding the unique permutations of the seed code with extra letters and numbers (making a 10 character code instead of using 5 characters) we can increase the number of unique possible permutations to 3,628,800. There are still only 120 possible unique permutaions of the real seed code. But, we can hand out 3,628,800 variations of this to the end users creating a unique pseudo-random code for each person. If 5 visitors came to the site and were issued these 5 return codes:

  1. bnfc1LJbCt
  2. CKfnJo1Obw
  3. C1JP1dbcfE
  4. bNCi1KJdfE
  5. fXJqCBbW1r

All 5 would be valid permutations of the original seed code for page1.html (1CbJf) and would direct the user to that page. By obfuscating the permutations of the seed code into the 10 character "padded" code we can give the end user the appearance that they each have a unique code created just for them. But, of course, this method of obfuscating codes should not be used as a form of security. The codes are not guranteed to be unique. And, anyone who knows Javascript could reverse engineer the codes to see how the validation is done. Or, even easier they could just look at the urlcodes.json file and see the seed codes.

But for applications where security and authentication is not a concern, this method could be used to return to a specific page or section of the web site. Sort of a "shortcut" which could be used on sites which have long and complicated URLs. This method could also be used to share a page with other people. By sending them the return code, the person could jump right to a specific page or section of the site without using the URL or a bookmark.

TL;DR – Don't use this code for web site security! This is not a secure way to validate or authenticate users. It's just a way to link to web content which is already public.

You can download this code and play around with it here: experiment4.zip