170 likes | 253 Views
E N D
Authentication and SecurityNote: What we discuss in class today covers moderate to low security. Before you involve yourself in a project that requires high security – credit card info, social security numbers etc - take a class on database security.It’s becoming more common for sites to keep records of the transactions while offloading payment etc to sites like Paypal , which handle the secure side of the transaction.This approach minimizes risk and cost. That said, what we’re covering today will let you control user access.
Authentication and SecurityHTTP authenticationUsing PHP scripts to manage user authentication and authorizationUsing PHP scripts to authenticate users against a databaseBuilding session based web database applications to authenticate usersSSL – Secure Sockets Layer
HTTP authentication HTTP authentication allows you to password protect a directoryThere are 3 steps1- Create a access file, which describes which users can access a site. 2- Create a password file, which lists users names and passwords allowed.3- upload files
HTTP authentication 1- Create an access file, which describes which users can access a site. Open the text editor and save a new file called “.htaccess”---Basic FormatAuthUserFile /full_path/.htpasswdAuthGroupFile /dev/nullAuthName “Page Name"AuthType basicrequire user UserName ---ExampleAuthUserFile /home/denning/www/ezcontents1_4x/contentdocument/intro_to_db/cl_8/http_pass/.htpasswdAuthGroupFile /dev/nullAuthName "Super Secret Page"AuthType basicrequire user valid-user full_path is the location of the .htpasswd file. This should be outside your normal directories. UserName is the name of users allowed to access the pages. Use valid-user if more than one person can access the directory. Use a specific username, in this case Test, if more only one person can access the directory. There is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").
HTTP authentication 2- Create a password file, which lists users names and passwords allowed.Open the text editor and save a new file called “.htpasswd”Decide on user name and passwordname: Testpassword: ClassGenerate the password, using a tool that encrypts the password(see link form syllabus to http://www.euronet.nl/~arnow/htpasswd/ )---Basic FormatUserName:Password---ExampleTest:180TuOLtbRWCU It's crucial that you press enter after each line (the last line should be an empty one, not a line with a password entry in it) and that you upload the file as 'text' or 'ascii'. Also, keep in mind that these lines are case-sensitive; you should enter a capital as a capital and a lower-case character as a lower-case character.
HTTP authentication 3- upload files.htpasswdshould go to a secure location on your website.htaccessshould go in the directory you want to protectNOTE:the “full path” in .htaccess needs to match the location of .htpasswd
HTTP authentication Multiple users1- modify .htpasswduser1 :NgFQ1vnnW/tJk user2 :mWaquohh.OY3w user3 :EMt8amgnyuYD2 Using groups1- create a file called “.htgroup” (similar to .htpasswd)my-users:user1 user2 user3modify the .htaccess file in the directory to look like this: AuthUserFile /home/john/.htpasswdAuthGroupFile /home/john/.htgroupAuthName “Johns page” AuthType Basic require group my-users
Using PHP scripts to manage user authentication and authorization PHP can access the name and password variables submitted through HTTP authentication<?print("<html><head> <title></title></head><body>");print(“Hi this is the index<br>");print("You are: $PHP_AUTH_USER <br>");print("using password: $PHP_AUTH_PW <br>");print("</body></html>");?>
Using PHP scripts to authenticate users against a database1- Creating the table User name must be unique
Using PHP scripts to authenticate users against a database 1- Make “password” a key 2- Result
Protecting password in the database 1- Built in PHP functionscrypt(PHP 3, PHP 4 )crypt -- One-way string encryption (hashing)Descriptionstring crypt ( string str [, string salt])crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system. Arguments are a string to be encrypted and an optional salt string to base the encryption on. See the Unix man page for your crypt function for more information. If the salt argument is not provided, one will be randomly generated by PHP.
Protecting password in the database 1- Logical FlowTesting if the user is logged in<?if(!isset($u_username)||!isset($u_username)){header("location: login.php"); exit(); }else{ print("<html><head><title></title></head><body>"); print("main page of site - authenticated user only"); print("</body></html>"); }?>
Protecting password in the database 1- Logical FlowTesting if the user is logged in<?include "../../../../../../itb_cl8_info.php";include "login_functions.php";print("<html><head><title></title></head><body>");if($action=="register"){register_new_user($u_username, $u_password); //say hello print ("Welcome to the site");}elseif($action=="new_user"){register_form();}elseif($action=="login"){ $valid_user=login_user($u_username, $u_password);if(!$valid_user){ // show login with error $error="Sorry, that user name and password aren't found"; login_form($error);}else{ //say hello print ("Hi - we're glad you came back");}}else{ $error="";login_form($error);}print("</body></html>");?>
Protecting password in the database 1- Creating a new userfunction register_form(){print("<form method=\"POST\" action=\"\"><b>Please register</b><br>Name:<input type=\"text\" name=\"u_username\" value=\"\"><br>Password: <input type=\"text\" name=\"u_password\" value=\"\"><br><input type=\"hidden\" name=\"action\" value=\"register\"><input type=\"submit\"></form>");}
Protecting password in the database 1- Creating a new user 2function register_new_user($u_username, $u_password){GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable;// CRYPT OUR PASSWORD$salt=substr($u_username, 0, 2);$crypted_password=crypt($u_password, $salt);/// INSERT RECORD // open connection to host $link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed"); // connect to specific database mysql_select_db($dbName)OR die("error 2 - failure to connect to DB"); // formulate our question $query="INSERT INTO $usersTable (user_name, password) values ('$u_username', '$crypted_password')"; // ask the question $result =mysql_query($query)OR die("error 3 - query failed");}
Protecting password in the database 1- Authenticating an Existing Userfunction login_form($error){print("<form method=\"POST\" action=\"\"><b>Please Login</b><br><i>$error</i><br>Name:<input type=\"text\" name=\"u_username\" value=\"\"><br>Password: <input type=\"text\" name=\"u_password\" value=\"\"><br><input type=\"hidden\" name=\"action\" value=\"login\"><input type=\"submit\"></form><br><a href=\"login.php?action=new_user\">New Users </a>register here");}
Protecting password in the database 1- Authenticating an Existing User 2function login_user($u_username, $u_password){GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable;// make sure username and password are filled inif(!isset($u_username)||!isset($u_username)){ return false;}// recreate the encrypted password stored on the database$salt=substr($u_username, 0, 2);$crypted_password=crypt($u_password, $salt);// see if we can find the user in the database // open connection to host $link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed"); // connect to specific database mysql_select_db($dbName)OR die("error 2 - failure to connect to DB"); // formulate our question $query="SELECT password FROM $usersTable WHERE user_name='$u_username' AND password='$crypted_password'"; // ask the question $result =mysql_query($query)OR die("error 3 - query failed"); // if there's exactly one row we've found the user if(mysql_num_rows($result) !=1){ return false; }else{ return true; }}