Presentation is loading. Please wait.

Presentation is loading. Please wait.

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1.

Published byMelvin Hawkins Modified over 9 years ago

Similar presentations

Presentation on theme: "V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1."— Presentation transcript:

1 V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1

2 V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 2

3 V 1.0 Storing passwords Probably the most sensitive data Storing passwords in a cleartext form is not allowed! Any website/program that is capable of sending forgotten passwords uses cleartext passwords! Aim: password authentication without storing the password itself Symmetric Encryption vs Assymetric Encryption  not secure, the key have to be stored somewhere... Instead: one-way transformation. If we store f(pw) instead of pw, and pw cannot be guessed from f(pw), then it is safe The user enters his password (pw2), which is correct, if f(pw)==f(pw2) OE NIK 2013 3

4 V 1.0 Hashing functions Aim: search an f(x) function that is –Cannot be decrypted (one-way): it is not possible to find x from f(x) –Finite output (typically 128-512 bit) : we want to store f(x) in a database, it cannot be infinite, even if x can take any possible values –Theoretical aim: f(x)==f(y)  x==y –Practical aim: the probability of a collision must be the smallest possible (collision  in case of x!=y, the outputs f(x)==f(y) are the same (infinite possible inputs, finite output – still, we want few collisions) OE NIK 2013 4

5 V 1.0 Hashing functions Practical examples –MD5: 128bit, 1991-2004, theoretically insecure (since 1996), practically insecure (since 2004), very easy to crack (since 2005-2007, since 2009 only a few seconds are needed (time factor 2 20,96 ) –SHA1: 160bit, exists since 1995, used since ~2000. Theoretically insecure (since 2005, 2 51 ), despite this, it is a very common hashing function –SHA256/224, SHA512/384 (SHA2): since 2001, probably has the same mathematical weakness –SHA3: Completely new algorithm (Keccak), since 2012.10.02., arbitrary output length (MD6?) OE NIK 2013 5

6 V 1.0 Hashing functions in PHP Default output: hexadecimal byte sequence string hash ( string $algo, string $data [, bool $raw_output = false ] ) –Possibility to use multiple algorithms –Faster –Can't use salt string crypt ( string $str [, string $salt ] ) –The main algorithms are here (SHA1, SHA2) –Since 5.3 PHP can use its own implementation –salt-compatible OE NIK 2013 6

7 V 1.0 Hashing in PHP $password="almafa"; $salt=""; for($i=1; $i<=16; $i++) $salt.=chr(rand(ord('A'), ord('Z'))); $hash=crypt($password, '$5$rounds=5000$'.$salt.'$'); //$5$ = SHA256, $6$ = SHA512 $result1=crypt("kortefa", $hash); $result2=crypt("almafa", $hash); echo "Password: {$password} "; echo "Salt: {$salt} "; echo "Hash: {$hash} "; echo "Result1: {$result1} "; echo "Result2: {$result2} "; OE NIK 2013 7

8 V 1.0 Hashing in PHP Password: almafa Salt: KPABPDIJFTCVFABU Hash: $5$rounds=5000$KPABPDIJFTCVFABU$RWNvee2gQ0Vhi18 lmZjw/.J3h1k12o2c/.JmUK1lEhD Result1: $5$rounds=5000$KPABPDIJFTCVFABU$2BUvHZFXlo3AP7U LueqRWKXgRwjOsiSPNc316YXOSn7 Result2: $5$rounds=5000$KPABPDIJFTCVFABU$RWNvee2gQ0Vhi18 lmZjw/.J3h1k12o2c/.JmUK1lEhD OE NIK 2013 8

9 V 1.0 Hashing – this semester Storing passwords in cleartext form is FORBIDDEN Textual user database is enough user|hash pairs, it is enough to use the basic sha1() e.g. http://bit.ly/9vM3cA or simply echo sha1("password") After this, read the file using file($path, FILE_IGNORE_NEW_LINES) then explode("|", $row) OE NIK 2013 9

10 V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 10

11 V 1.0OE NIK 2013 11 STATELESS HTTP

12 V 1.0 COOKIES Data storage in the browser: key, value, validity time, validity domain Setting values: from Javascript or PHP code (in the latter case, it is sent in the HTTP response headers) Getting values: in every HTTP Request, the browser sends all valid cookies, these go into the $_COOKIE array NOT SECURE to store sensitive data, because anyone can see and mondify the data Typically: visitor tracking, feedback of javascript variables, advertisement data, „tracking cookie” OE NIK 2013 12

13 V 1.0 COOKIES OE NIK 2013 13

14 V 1.0 COOKIES setcookie(name, value, expire, path, domain); setcookie("user", "Alex Porter", time()+3600); echo $_COOKIE["user"]; print_r($_COOKIE); setcookie("user", "", time()-3600); http://www.w3schools.com/php/ php_cookies.asp  ALTERNATIVE: HTML5 local storage 14 OE NIK 2013

15 V 1.0 SESSION variables Data storage on the server: key, value Initializing a session: session_start() Session identification: SID (Session ID), the browser sends it with every HTTP Request ($_COOKIE or $_GET) Accessing values: The browser sends the SID, the session_start() loads the data associated with the given SID into the $_SESSION array The client only stores the SID, the associated data are on the server  more secure Session hijacking? OE NIK 2013 15

16 V 1.0 SESSION variables 16 OE NIK 2013

17 V 1.0 SESSIONS session_start(); if (isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo "Views=". $_SESSION['views']; unset($_SESSION['views']); session_destroy(); setcookie(session_name(), '', time() – 86400); http://www.w3schools.com/php/php_sessions.asp 17 OE NIK 2013

18 V 1.0 SESSION HIJACKING $sesskey =$_SERVER['HTTP_USER_AGENT']; $sesskey.=$_SERVER['REMOTE_ADDR']; $sesskey.='HELLOBELLO'; $sesskey=sha1($sesskey); if(isset($_SESSION['sesskey'])) { if ($_SESSION['sesskey']!=$sesskey) { die("NOT ALLOWED"); } } else { $_SESSION['sesskey']=$sesskey; } 18 OE NIK 2013

19 V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 19

20 V 1.0OE NIK 2013 20 Login form Create a users.txt file with user|hash pairs (sha1, we'll create a php script, but we could use http://bit.ly/9vM3cA too (no line breaks!) ) Create the login.html form: username and password + submit button Create the index.php script: it displays the login form, if the user is not logged in, otherwise it displays the contents of a textfile diary.txt and a logout link at the bottom The logged-in users must be able to edit the textfile

21 V 1.0 $_GET['action'] LOGIN ANYTHING ELSE LOGIN FORM OR LOGOUT LINK DESTROY SESSION LOGOUT USER INPUT? YES NO ERROR (echo) Check USER/PASS (+ set $_SESSION) REDIRECT USER (header + exit) INDEX.PHP REDIRECT USER (header + exit) 21 OE NIK 2013

22 V 1.0 $_SESSION['user'] SET NOT SET LOGIN FORM LOGIN FORM OR LOGOUT LINK? TEXT + LOGOUT LINK 22 OE NIK 2013 We have to add extra actions for text editing...

23 V 1.0 OE NIK 2013 LET'S CODE! 23

24 V 1.0 OE NIK 2013 24

25 25 OE NIK 2013

Download ppt "V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1."

Similar presentations

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
V 1.0 OE NIK 2013 PHP+SQL 6. Forum 1. V 1.0 Hashing – this semester Storing passwords in cleartext form is FORBIDDEN Textual user database is enough user|hash.

V 1.0 OE NIK 2013 PHP+SQL 6. Forum 1. V 1.0 Hashing – this semester Storing passwords in cleartext form is FORBIDDEN Textual user database is enough user|hash.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.

>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie(name, value, expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.

CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.
Php cookies & sessions.

Php cookies & sessions.
15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D

15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Similar presentations

Ads by Google