Download presentation
Presentation is loading. Please wait.
1
Website Security ISYS 475
2
Authentication Authentication is the process that determines the identity of a user.
3
Forms Authentication Use username and password to authenticate user. Pages cannot be accessed unless the user has the proper authentication. Without authentication, user is directed to a login page. If authenticated, user is redirected back to the requested page.
4
Forms Authentication Flow User Authenti cated? Login Page No, redirect to Website Yes Authenti cated? No, redirect to Yes
5
Using Browser’s Login Page Start a session: session_start(); Use the header() function to send an "Authentication Required" message to browser causing it to pop up a login page. Once the user has filled in a username and a password, the page will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW set to the username and password in the $_SERVER superglobal variable. Compare the entered password with the password in the database and set true/false to a boolean variable in $_session: – $_SESSION['is_logged_in']=true;
6
Browser’s Login Form
7
MySQL Table: users Fields: –CID: CHAR 3 –Username: Varchar 32 –Password: varchar 32
8
<?php session_start(); if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/1.0 401 Unauthorized'); exit; } else { $db = new PDO('mysql:host=localhost;dbname=salesdb', 'root', ''); $user = $_SERVER['PHP_AUTH_USER']; $pwd = $_SERVER['PHP_AUTH_PW']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in']=true; else { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/1.0 401 Unauthorized'); //echo 'Text to send if user hits Cancel button'; exit; } } ?> authenticateUser.php
![< php session_start(); if (!isset($_SERVER[ PHP_AUTH_USER ])) { header( WWW-Authenticate: Basic realm= My.Com ); header( HTTP/ Unauthorized ); exit; } else { $db = new PDO( mysql:host=localhost;dbname=salesdb , root , ); $user = $_SERVER[ PHP_AUTH_USER ]; $pwd = $_SERVER[ PHP_AUTH_PW ]; $query = SELECT COUNT(*) FROM users WHERE username= $user AND password= $pwd ; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION[ is_logged_in ]=true; else { header( WWW-Authenticate: Basic realm= My.Com ); header( HTTP/ Unauthorized ); //echo Text to send if user hits Cancel button ; exit; } } > authenticateUser.php](http://images.slideplayer.com/23/6625116/slides/slide_8.jpg "< php session_start(); if (!isset($_SERVER[ PHP_AUTH_USER ])) { header( WWW-Authenticate: Basic realm= My.Com ); header( HTTP/ Unauthorized ); exit; } else { $db = new PDO( mysql:host=localhost;dbname=salesdb , root , ); $user = $_SERVER[ PHP_AUTH_USER ]; $pwd = $_SERVER[ PHP_AUTH_PW ]; $query = SELECT COUNT(*) FROM users WHERE username= $user AND password= $pwd ; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION[ is_logged_in ]=true; else { header( WWW-Authenticate: Basic realm= My.Com ); header( HTTP/ Unauthorized ); //echo Text to send if user hits Cancel button ; exit; } } > authenticateUser.php")
9
All protected pages require checking $_SESSION['is_logged_in] <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:authenticateUser.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:authenticateUser.php"); die(); } ?> Welcome to this "Other Page"!!!
![All protected pages require checking $_SESSION[ is_logged_in] < php session_start(); if (!(isset($_SESSION[ is_logged_in ]))) { header( Location:authenticateUser.php ); die(); } if (!($_SESSION[ is_logged_in ])) { header( Location:authenticateUser.php ); die(); } > Welcome to this Other Page !!!](http://images.slideplayer.com/23/6625116/slides/slide_9.jpg "All protected pages require checking $_SESSION[ is_logged_in] < php session_start(); if (!(isset($_SESSION[ is_logged_in ]))) { header( Location:authenticateUser.php ); die(); } if (!($_SESSION[ is_logged_in ])) { header( Location:authenticateUser.php ); die(); } > Welcome to this Other Page !!!")
10
Use a Login Page http://studge.com/create-a-site-authentication- login-with-php-and-mysql/
11
Login Page Welcome to My.Com Login Page Please enter user name and password Username: Password:
12
Home Page:index.php <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:login.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:login.php"); die(); } ?> Welcome to my.Com Home Page First test: Is the variable isset($_SESSION['is_logged_in']) set? Second test: Is the variable ($_SESSION['is_logged_in’] true?
![Home Page:index.php < php session_start(); if (!(isset($_SESSION[ is_logged_in ]))) { header( Location:login.php ); die(); } if (!($_SESSION[ is_logged_in ])) { header( Location:login.php ); die(); } > Welcome to my.Com Home Page First test: Is the variable isset($_SESSION[ is_logged_in ]) set.](http://images.slideplayer.com/23/6625116/slides/slide_12.jpg "Second test: Is the variable ($_SESSION[ is_logged_in’] true .")
13
checkpassword.php to verify password <?php session_start(); if($_SERVER['REQUEST_METHOD'] == "POST") { $dsn = 'mysql:host=localhost;dbname=salesdb'; $username = 'root'; $password = ''; $db = new PDO($dsn, $username, $password); $user = $_POST['username']; $pwd = $_POST['password']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in'] = TRUE; else $_SESSION['is_logged_in'] = FALSE; } if(!($_SESSION['is_logged_in'])) { echo "Not authorized"; header("location:login.php"); } else header("location:index.php"); ?>
![checkpassword.php to verify password < php session_start(); if($_SERVER[ REQUEST_METHOD ] == POST ) { $dsn = mysql:host=localhost;dbname=salesdb ; $username = root ; $password = ; $db = new PDO($dsn, $username, $password); $user = $_POST[ username ]; $pwd = $_POST[ password ]; $query = SELECT COUNT(*) FROM users WHERE username= $user AND password= $pwd ; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION[ is_logged_in ] = TRUE; else $_SESSION[ is_logged_in ] = FALSE; } if(!($_SESSION[ is_logged_in ])) { echo Not authorized ; header( location:login.php ); } else header( location:index.php ); >](http://images.slideplayer.com/23/6625116/slides/slide_13.jpg "checkpassword.php to verify password < php session_start(); if($_SERVER[ REQUEST_METHOD ] == POST ) { $dsn = mysql:host=localhost;dbname=salesdb ; $username = root ; $password = ; $db = new PDO($dsn, $username, $password); $user = $_POST[ username ]; $pwd = $_POST[ password ]; $query = SELECT COUNT(*) FROM users WHERE username= $user AND password= $pwd ; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION[ is_logged_in ] = TRUE; else $_SESSION[ is_logged_in ] = FALSE; } if(!($_SESSION[ is_logged_in ])) { echo Not authorized ; header( location:login.php ); } else header( location:index.php ); >")
14
Logout Page <?php session_start(); session_destroy(); header("location:login.php"); ?>
15
Password Hashing http://php.net/manual/en/faq.passwords.php#faq.passwords.bestpracticehttp://php.net/manual/en/faq.passwords.php#faq.passwords.bestpractice crypt function: crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system. password_hash functio: password_hash() uses a strong hashing algorithm and is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().
16
Security Issues http://www.phpfreaks.com/tutorial/php- security
Similar presentations
