I don't understand why JavaScript is involved in this at all. Why are you not simply setting a cookie that you can verify from the server? What would stop someone from reading the secret word in the HTML, along with all the code to generate a correct hash?