420 likes | 714 Views
Authentication / Authorization. Users and Access Control. Authentication. Who you are. Authorization. What you can do. Authentication & Authorization. Ex: Scanning your card at a door. Scanner looks up card ID, resolves it to a person ID Checks if person is allowed to open door
E N D
Authentication / Authorization Users and Access Control
Authentication • Who you are
Authorization • What you can do
Authentication & Authorization • Ex: Scanning your card at a door. • Scanner looks up card ID, resolves it to a person ID • Checks if person is allowed to open door • Unlocks door (if appropriate)
Authentication without Authorization • You & Your Passport • CAS
Authorization withoutAuthentication • Combination lock • Thruway Ticket
Access Control in PHP • Using tools we already know (and love) • Sessions • Persistence for relationship between client and server • Use header() to bounce • Unauthenticated users to the login page • Store User name & password in a mysql database • HTML Form • A login form
Flow article.php?id=27 If not authed: send user to login.php?r=article.php?id=27 exit(); Else: show page content ….Look up & display article 27 login.php if session set if r !=“” redirect to r else redirect to homepage If else post vars set check if user/pass match entry in db Else present login form
Tasks • Redirects with Header() • Stopping script with Exit() • Setting Sessions • Checking Sessions • Posting Forms • DB Queries
Redirect w/ Header() header('location: <<web address>>'); Example 1: header('location: login.php'); Example 2: $loc = 'location: ‘ . $_GET[‘r’]; header($loc);
EXIT • Must call exit() directly after header() is called • Prevents code from being executed even if user has been bounced to alternate URL • exit() is equivalent to die() … both stop the script from being executed
Setting Sessions //start sessions on the current script session_start(); //set a session $_SESSION[‘today’] = “Friday”;
Getting A session value //sessions have already been started If($_SESSION[‘today’] == ‘Friday’){ echo ‘dj at daisy\’s’; }else{ echo ‘sadfaces’; }
Sessions & Auth: Setting After login form is posted & user/password is looked up in db: $auth = md5(time() . $_SERVER['REMOTE_ADDR'] . ‘secret’); //save $auth + $userid in the database $_SESSION[‘auth’] = $auth; $_SESSION[‘user’] = $userid;
Sessions & Auth: Checking On a auth protected page: $auth = $_SESSION[‘auth’]; $userid = $_SESSION[‘user’]; $sql = “select ‘OK’ from tickets where authkey = \””.$auth.”\” and user = \”” . $userid . “\””; $result = mysql_query($sql); If (mysql_num_rows($results) != 1){ // bounce user to login page & exit }else{ // display content }
MD5 • MD5 returns a non reversible hash of a string • MD5 returns the same hash for a given string every time it is called • MD5 may return the same hash for two different input strings
MD5 • Because you don’t trust your DBA $pass = $_POST[‘password’]; $sql = “select pass, id from users where id = . “$id “. and pass = md5(\”“. $pass.”\”)”; Md5() is a mysql function
MD5 • You can apply the MD5 [or password()] function to a field when INSERTING a row via PHPMYADMIN
POST Form • A form that posts to itself • If the form has been subbmitted, check if user/password pair on in the database
POST Form $sql = “select ‘OK’ from tickets where authkey = \””.$auth.”\” and user = md5(\”” . $userid . “\”)”; $result = mysql_query($sql); If (mysql_num_rows($results) != 1){ // bounce user to login page & exit }else{ // send user to requested page or home page }
Logout… • session_destroy(); • Removes session data from memory • To ‘log out’ a user, you should call session_start() again • DELETEs the row in the db
Improvements • Groups • SSL • Tickets
Groups • Wordpress • has a user type field • User types 1 – 10 • Each user type as all authorizations of the users below it, plus extras • (Why isn’t this a scaleable model?)
Groups • Groups • Allow a user to belong to N groups • Certain sections of your website require the user belong to a certain group to gain access • This is how Drupal and portal frameworks work.
SSL • Secure Sockets Layer • Developed late ‘90s • Uses port 443 • Encrypts data between client and server • Brower checks server’s certificate against an approved list of vendors
SSL • Ensures users password isn’t sent to the server with in plain text • Ensures your banking data isn’t readable to other people on the network when as it is sent to your machine from the server.
Tickets • Create a ‘tickets’ table in your DB • Add two fields • Ticket (varchar 128, primary key) • Session (varchar 128) • Using PHPMYADMIN insert a fake ticket code into a new record (leaving session blank) ex: blah
Tickets pickup.php • Takes a ticket_id like pickup.php?t=blah • Get the ticket_id $id = $_GET[‘t’]; • Check if someone has already picked up the ticket $sql = “select ‘OK’ from tickets where ticket = ‘”.$id.’” and session = ‘’”;
Tickets pickup.php • Run the sql query with $result = mysql_query($sql); • Check if there is an unused ticket for pickup If(mysql_num_rows($results) != 1){ echo ‘sorry’; exit(); }
Tickets else{ //start a new session session_start(); //insert it into the DB sql = “update tickets set session = \“”. session_id() .”\” where ticket = \””. $id . ”\””; //Execute that query… header('location: secure.php'); }
Tickets secure.php • Check if the user has a valid session $sid = session_id(); $sql = “select ‘OK’ from tickets where session = \””.$sid.”\”; Check if the num of rows returned == 1.
Authorizing a page If(mysql_num_rows($results) != 1){ echo ‘NOPE’; exit(); }else{ //… you can put your ‘secured HTML or PHP here…. }
Other Types of Auth • Basic Auth • Lower Level • CAS • Higher Level
HTTP Basic Auth • Browser generates form based on headers returned from server. • Commonly used for services // sometimes PHP will be a client in this setting
CAS • Central Auth Server used • Services bounce unauthenticated users to the central server • Server gives client a key • Service requests key from the central server & compares it with the key from the client • What’s the advantage?
In Class… • Create a users table • userid(PK) • Password use MD5() when inserting a password • Create a Keys table • Userid • Authkey
In Class… • Create a php page (login.php) • With a form with • Username field • Password field • Form posts to its own page • If post vars are set • Check user/pass in db • If they match an entry • Set a sessions • Userid • Authkey • Store the auth key & user in the db
In Class… • Create a php page that checks user’s sessions • If not set, send them to login.php • If set, check for user/key pair in db • If they match • Display the rest of the page content
In Class • There should be lots of copy/paste from previous php/mysql work • Any questions up front?