1 / 20

Chapter 6: Authentications

Chapter 6: Authentications. Overview. Getting Username and Password Verifying Username and Password Keeping The Verification Result. Getting Username and Password (1). Two methods to get username and password from browser. HTTP Authentication with PHP Taking use of HTML ‘<form>’ tag.

laurenpike
Download Presentation

Chapter 6: Authentications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 6: Authentications

  2. Overview • Getting Username and Password • Verifying Username and Password • Keeping The Verification Result

  3. Getting Username and Password (1) • Two methods to get username and password from browser. • HTTP Authentication with PHP • Taking use of HTML ‘<form>’ tag. • HTTP Authentication with PHP • Taking use of HTTP Header • Headers Sent: • WWW-Authenticate: Basic realm="My Realm” • HTTP/1.0 401 Unauthorized • Example <?php header('WWW-Authenticate: Basic realm="PHP Tranning"'); header("HTTP/1.0 401 Unauthorized"); ?>

  4. Getting Username and Password (2) • To get user’s input • Using the super-global: $_SERVER[‘'PHP_AUTH_USER ’] • The basic HTTP authentication example <?php if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; } else { echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>"; echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>"; } ?>

  5. Getting Username and Password (3) • Digest HTTP Authentication example • When using HTTP Basic Authentication, the username-password pair is effectively transmitted in the clear. • Using digest authentication, your password is never sent across the network in the clear, but is always transmitted as an MD5 digest of the user's password. • This mechanism is alternative authentication method. Hence, We don’t describe more detail about it. • If you are interesting in this method, you can refer the example of PHP manual.

  6. Getting Username and Password (4) • Taking use of html ‘<form>’ tag • Using POST method to get user’s input. • Note: GET is not recommended because it appears in URL. • Example <form method="POST" action="6-2.php"> Username: <input type="text" name="user"> <br /> Password: <input type="password" name="pass"> <br /> <input type="submit" value="Login"> <input type="reset" value="Clear"> <?php echo "<p>Hello {$_POST['user']}.</p>"; echo "<p>You entered {$_POST['pass']}", " as your password.</p>"; ?>

  7. Getting Username and Password (5) • Practicing • Creating a HTML page in order to input username, password, and others data which you want to know, for example, name, birthday, mail address, or simple math question. • Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself. • When it received username, password, and others user’s input, show it on browser http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.html http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.txt http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.php http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.txt

  8. Verifying Username and Password (1) • Verification • After getting the username and password from users, the coming problem is “how to check” the correctness. • How to encrypt the password? We do not mention here. • We only protect service from malformed connections. • Approaches • To record the username/password in • PHP Arrays • Databases • To take use of existing services. • FTP • POP3/IMAP • …etc.

  9. Verifying Username and Password (2) • Verification using PHP array • To record the “username => password” maps in an array • Example $users = array( 'Mary' => 'aa123', 'John' => 'uupx', 'Jerry'=> 'password'); function auth(){ header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; } function check_auth($usr, $pwd){ global $users; if ($users[$usr] == $pwd) return TRUE; else return FALSE; } $un = $_SERVER['PHP_AUTH_USER']; $up = $_SERVER['PHP_AUTH_PW']; if (!isset($un) || !check_auth($un, $up) ) { auth(); } else { echo "<p>Hello {$un}.</p>"; echo "<p>You entered $up as your password.</p>"; }

  10. Verifying Username and Password (3) • Verification using databases • To record the “username => password” maps in a database table. • Example (change the check_auth function in previous example) $link = mysql_connect("localhost", "ystseng", “xxxxxx") or die(mysql_errno($link).": ".mysql_error($link)); mysql_select_db("ystseng_tphp", $link) or die(mysql_errno($link).": ".mysql_error($link)); function check_auth($usr, $pwd){ global $link; $sql = "Select ID From auth Where username='$usr' And password='$pwd'"; if (!($result = mysql_query($sql, $link))) return false; if (mysql_num_rows($result) == 1) return true; else return false; }

  11. Verifying Username and Password (4) • Verification using existing FTP Service • Try to login to an existing FTP site, if FTP site accepts the username and password, we accept it too. • Example (change the check_auth function in previous example) function check_auth($usr, $pwd){ $ftp_server="tphp.cs.nctu.edu.tw"; $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $usr, $pwd); // check connection if ((!$conn_id) || (!$login_result)) $result = FALSE; else $result = TRUE; ftp_close($conn_id); return $result; }

  12. Verifying Username and Password (5) • Verification using existing E-Mail Service • Try to login to an existing Mail Server, check if the username and password accepted by the E-Mail Server (Protocol: POP3, IMAP). • Example (change the check_auth function in previous example) function check_auth($usr, $pwd){ $ret = @(imap_open("{msa.hinet.net:143}", "$usr", "$pwd", OP_HALFOPEN)); $auth = $ret ? true : false; if ($ret) imap_close($ret); return $auth; }

  13. Verifying Username and Password (6) http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.html http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.txt http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.php http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.txt • Practicing • Creating a HTML page in order to input username, password, and others data which you want to know, for example, name, birthday, mail address, or simple math question. • Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself. • When authentication information is correct, it will show “hello message” and visited counter. This visited counter can store in cookie (remember to set expire time) • Hits: • You can use array variable in your PHP code or database to store username and password which be compared with user’s input.

  14. Keeping The Verification Result (1) • After authentication, we have to keep username and password that user types. • While using the “HTTP Authentication”, browsers will send the user/pass in header before closed. • While using “HTML <form> tag”, we have to keep data ourselves. • Methods • Using <intput type=hidden> while jumping between pages. • Not suitable, easily loss, and username/password will appear in HTML. • cookie and session mentioned in chapter 4. • Difference • cookie stores in client side, session in server side. • session ends with browser closed, cookie can be kept for longer time.

  15. Keeping The Verification Result (2) • Examples • We design a function to check whether login successfully • If no, redirect browsing page to login page • Login procedure will check username and password • When it login successfully, it will redirect again to original page. • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_login.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_1.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_2.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_3.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_logout.php

  16. Keeping The Verification Result (3) • ex6-3_inc.php • library function. It will be include all PHP pages. <?php $users = array("peter" => "1234", "mary" => "abcd"); function check_auth() { global $users; if ($_COOKIE['PASS'] === null || $_COOKIE['USER'] === null) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } if (md5($users[$_COOKIE['USER']]) != $_COOKIE['PASS']) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } } ?>

  17. Keeping The Verification Result (4) • ex6-3_login.php • Login PHP page. … … <form action="ex6-3_auth.php" method="post"> <input type="hidden" name="URL" value="<?=$_GET['URL'] ?>"> Username: <input type="text" name="USER"><br> Password: <input type="password" name="PASS"><br> <input type="submit" value="Login"> </form> … …

  18. Keeping The Verification Result (5) • ex6-3_auth.php • Login procedure PHP page. <?php require_once("ex6-3_inc.php"); if ($users[$_POST['USER']] == $_POST['PASS']) { setcookie("USER", $_POST['USER'], time() + 3600); setcookie("PASS", md5($_POST['PASS']), time() + 3600); if ($_POST['URL']) { /* redirect to original page */ header("Location: http://$_SERVER[SERVER_NAME]$_POST[URL]"); } else { header("Location: ex6-3_1.php"); } } else { echo "Wrong username or password"; } ?>

  19. Keeping The Verification Result (6) • ex6-3_1.php • Data PHP page. • ex6-3_2.php • Data PHP page. <?php require_once("ex6-3_inc.php"); check_auth(); echo "Hello, $_COOKIE[USER], this file is ex6-3_1.php"; ?> <?php require_once("ex6-3_inc.php"); check_auth(); echo "hay!, $_COOKIE[USER], this file is ex6-3_2.php"; ?>

  20. Q&A

More Related