1 / 30

Feedback #2 (under assignments) Lecture Code:

Feedback #2 (under assignments) Lecture Code:. http://decal.aw-industries.com. Today’s Agenda. Course Feedback Announcements Building a Login System Wrap Up. Announcements. Last Day of Class Today Interest in Presenting Final Projects? FP Deadlines 12/6 Photoshop Layout

ganit
Download Presentation

Feedback #2 (under assignments) Lecture Code:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Feedback #2 (under assignments)Lecture Code: http://decal.aw-industries.com

  2. Today’s Agenda • Course Feedback • Announcements • Building a Login System • Wrap Up

  3. Announcements • Last Day of Class Today • Interest in Presenting Final Projects? • FP Deadlines • 12/6 Photoshop Layout • 12/13 Entire, Fully-Functional Project

  4. Web Design: Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Basic to Advanced Techniques Building a Login System

  5. Login Systems

  6. Functionality • Login • Verify Credentials • Logout • Remember Me • Register

  7. Components • Front End • Form • Back End • PHP for Authentication • Database login, password authenticated session id encrypted password search for user with given login

  8. Form Browser Code

  9. Database Totally insecure! What if someone hacks your database? Can discover all passwords. Can log in as anyone.

  10. Database Improved Better, but… Leaks information. If someone hacks database: Can notice Jon and Amber have same password. CanNOT log in as anyone. Or can they?

  11. Database Best Secure! Assuming random salt and cryptography done correctly.

  12. Database Takeaways • Never store plain text password! • Compare encrypted passwords instead. • Use a random salt to prevent information leaks.

  13. Authenticationverify log in credentials • User submits login and password via form • PHP retrieves posted information via $_POST[’login'] and $_POST[’password'] • PHP runs database query: • SELECT * from Users WHERE login = $_POST[’login’] • Authenticate • Encrypt(POST[’password’], $row[‘salt’]) == $row[‘encrypted_password] HUGE security vulnerability, Use prepared statements instead http://php.net/manual/en/pdo.prepared-statements.php

  14. What if we visit a new page? We would need to ask for credentials again. What a bother! Why? Because HTTP is stateless. How do we fix this? Sessions.

  15. What should happen • After logging in initially we want to be able to stay logged in until we close the browser or log out. • Also want the site to remember who we are.

  16. Cookies to the Rescue? • We need some sort of state, memory, between page loads. • Could store: as cookies • And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as. Issues? Totally insecure! Could log in as who ever you want.

  17. Sessionsserver-side state • We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state! • Could store: • But how do we identify which stored record belongs to a particular client? Need to store an identifier too.

  18. What’s Inside Each? Cookies Sessions Secure? Nope. Can change our cookie to hijack other sessions.

  19. What’s Should Be Inside Each. Cookies Sessions Secure? Yes. As long as our Session Key is random and sufficiently long (enough entropy).

  20. Initial Interaction • Front End • Form • Back End • PHP for Authentication • Database login, password authenticated session key encrypted password search for user with given login

  21. Subsequent Interaction • Browser • Back End • PHP for Authentication session id private web page

  22. Session Hijacking • Session key is king. If someone is able to determine the value of your session key they can send the same cookie to the server and have access to your full account. • Firesheep

  23. Making Session Hijacking Harder Also session fixation attacks... Unique Request Headers HTTPS

  24. Writing Your OwnAuthentication System • Is very hard • Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security • Look for a reputable plugin • Use establish encryption techniques

  25. Web Design: Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Basic to Advanced Techniques Semester Wrap Up

  26. What We’ve Learned • HTML • CSS • jQuery (JavaScript) • PHP • MySQL

  27. What Now? • Forget PHP • Want to build Facebook in a month, by yourself? • Learn: Ruby on Rails! • Still need all our knowledge of HTML, CSS, jQuery, MySQL • CS169 Great rails resource: http://railscasts.com/

  28. Keep in Touch… • Let me know what you’re up to… • What you’re building… • If you need advice… • Facebook Group or email

  29. Additional Resources General Web Design/Development Tutorials: http://www.smashingmagazine.com/ Photoshop Tutorials: http://www.tutorial9.net/ Awesome Web Designs: http://cssremix.com/

  30. Feedback #2 (under assignments)Lecture Code: http://decal.aw-industries.com

More Related