1 / 41

Authentication / Authorization

Authentication / Authorization. Users and Access Control. Authentication. Who you are. Authorization. What you can do. Authentication & Authorization. Ex: Scanning your card at a door. Scanner looks up card ID, resolves it to a person ID Checks if person is allowed to open door

gloria-sweet
Download Presentation

Authentication / Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication / Authorization Users and Access Control

  2. Authentication • Who you are

  3. Authorization • What you can do

  4. Authentication & Authorization • Ex: Scanning your card at a door. • Scanner looks up card ID, resolves it to a person ID • Checks if person is allowed to open door • Unlocks door (if appropriate)

  5. Authentication without Authorization • You & Your Passport • CAS

  6. Authorization withoutAuthentication • Combination lock • Thruway Ticket

  7. Access Control in PHP • Using tools we already know (and love) • Sessions • Persistence for relationship between client and server • Use header() to bounce • Unauthenticated users to the login page • Store User name & password in a mysql database • HTML Form • A login form

  8. Flow article.php?id=27 If not authed: send user to login.php?r=article.php?id=27 exit(); Else: show page content ….Look up & display article 27 login.php if session set if r !=“” redirect to r else redirect to homepage If else post vars set check if user/pass match entry in db Else present login form

  9. Tasks • Redirects with Header() • Stopping script with Exit() • Setting Sessions • Checking Sessions • Posting Forms • DB Queries

  10. Redirect w/ Header() header('location: <<web address>>'); Example 1: header('location: login.php'); Example 2: $loc = 'location: ‘ . $_GET[‘r’]; header($loc);

  11. EXIT • Must call exit() directly after header() is called • Prevents code from being executed even if user has been bounced to alternate URL • exit() is equivalent to die() … both stop the script from being executed

  12. Setting Sessions //start sessions on the current script session_start(); //set a session $_SESSION[‘today’] = “Friday”;

  13. Getting A session value //sessions have already been started If($_SESSION[‘today’] == ‘Friday’){ echo ‘dj at daisy\’s’; }else{ echo ‘sadfaces’; }

  14. Sessions & Auth: Setting After login form is posted & user/password is looked up in db: $auth = md5(time() . $_SERVER['REMOTE_ADDR'] . ‘secret’); //save $auth + $userid in the database $_SESSION[‘auth’] = $auth; $_SESSION[‘user’] = $userid;

  15. Sessions & Auth: Checking On a auth protected page: $auth = $_SESSION[‘auth’]; $userid = $_SESSION[‘user’]; $sql = “select ‘OK’ from tickets where authkey = \””.$auth.”\” and user = \”” . $userid . “\””; $result = mysql_query($sql); If (mysql_num_rows($results) != 1){ // bounce user to login page & exit }else{ // display content }

  16. MD5 • MD5 returns a non reversible hash of a string • MD5 returns the same hash for a given string every time it is called • MD5 may return the same hash for two different input strings

  17. MD5 • Because you don’t trust your DBA $pass = $_POST[‘password’]; $sql = “select pass, id from users where id = . “$id “. and pass = md5(\”“. $pass.”\”)”; Md5() is a mysql function

  18. MD5 • You can apply the MD5 [or password()] function to a field when INSERTING a row via PHPMYADMIN

  19. POST Form • A form that posts to itself • If the form has been subbmitted, check if user/password pair on in the database

  20. POST Form $sql = “select ‘OK’ from tickets where authkey = \””.$auth.”\” and user = md5(\”” . $userid . “\”)”; $result = mysql_query($sql); If (mysql_num_rows($results) != 1){ // bounce user to login page & exit }else{ // send user to requested page or home page }

  21. Database Work

  22. Logout… • session_destroy(); • Removes session data from memory • To ‘log out’ a user, you should call session_start() again • DELETEs the row in the db

  23. Improvements • Groups • SSL • Tickets

  24. Groups • Wordpress • has a user type field • User types 1 – 10 • Each user type as all authorizations of the users below it, plus extras • (Why isn’t this a scaleable model?)

  25. Groups • Groups • Allow a user to belong to N groups • Certain sections of your website require the user belong to a certain group to gain access • This is how Drupal and portal frameworks work.

  26. Groups

  27. SSL • Secure Sockets Layer • Developed late ‘90s • Uses port 443 • Encrypts data between client and server • Brower checks server’s certificate against an approved list of vendors

  28. SSL • Ensures users password isn’t sent to the server with in plain text • Ensures your banking data isn’t readable to other people on the network when as it is sent to your machine from the server.

  29. Tickets • Create a ‘tickets’ table in your DB • Add two fields • Ticket (varchar 128, primary key) • Session (varchar 128) • Using PHPMYADMIN insert a fake ticket code into a new record (leaving session blank) ex: blah

  30. Tickets pickup.php • Takes a ticket_id like pickup.php?t=blah • Get the ticket_id $id = $_GET[‘t’]; • Check if someone has already picked up the ticket $sql = “select ‘OK’ from tickets where ticket = ‘”.$id.’” and session = ‘’”;

  31. Tickets pickup.php • Run the sql query with $result = mysql_query($sql); • Check if there is an unused ticket for pickup If(mysql_num_rows($results) != 1){ echo ‘sorry’; exit(); }

  32. Tickets else{ //start a new session session_start(); //insert it into the DB sql = “update tickets set session = \“”. session_id() .”\” where ticket = \””. $id . ”\””; //Execute that query… header('location: secure.php'); }

  33. Tickets secure.php • Check if the user has a valid session $sid = session_id(); $sql = “select ‘OK’ from tickets where session = \””.$sid.”\”; Check if the num of rows returned == 1.

  34. Authorizing a page If(mysql_num_rows($results) != 1){ echo ‘NOPE’; exit(); }else{ //… you can put your ‘secured HTML or PHP here…. }

  35. Other Types of Auth • Basic Auth • Lower Level • CAS • Higher Level

  36. HTTP Basic Auth • Browser generates form based on headers returned from server. • Commonly used for services // sometimes PHP will be a client in this setting

  37. CAS • Central Auth Server used • Services bounce unauthenticated users to the central server • Server gives client a key • Service requests key from the central server & compares it with the key from the client • What’s the advantage?

  38. In Class… • Create a users table • userid(PK) • Password  use MD5() when inserting a password • Create a Keys table • Userid • Authkey

  39. In Class… • Create a php page (login.php) • With a form with • Username field • Password field • Form posts to its own page • If post vars are set • Check user/pass in db • If they match an entry • Set a sessions • Userid • Authkey • Store the auth key & user in the db

  40. In Class… • Create a php page that checks user’s sessions • If not set, send them to login.php • If set, check for user/key pair in db • If they match • Display the rest of the page content

  41. In Class • There should be lots of copy/paste from previous php/mysql work • Any questions up front?

More Related