Presentation is loading. Please wait.

Presentation is loading. Please wait.

Feedback #2 (under assignments) Lecture Code:

Published byGriffin Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "Feedback #2 (under assignments) Lecture Code:"— Presentation transcript:

1 Feedback #2 (under assignments) Lecture Code: http://decal.aw-industries.com

2 Today’s Agenda Course Feedback Announcements Building a Login System Wrap Up

3 Announcements Last Day of Class Today Interest in Presenting Final Projects? FP Deadlines 12/6 Photoshop Layout 12/13 Entire, Fully-Functional Project

4 Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Building a Login System

5 Login Systems

6 Functionality Login Verify Credentials Logout Remember Me Register

7 Components Front End Form Back End PHP for Authentication Database login, password search for user with given login encrypted password authenticated session id

8 Form Browser Code

9 Database loginpassword alexiliketowork jonpeaches amberpeaches michaeldatabasesarecool Totally insecure! What if someone hacks your database? Can discover all passwords. Can log in as anyone.

10 Database Improved Better, but… Leaks information. loginencrypted password alexdjfxsfr2NIMmu2W0 jonxGBfwjvdK3A4VgjY amberxGBfwjvdK3A4VgjY michael3FI1IiNJZ6QjAkdQ If someone hacks database: Or can they? Can notice Jon and Amber have same password. CanNOT log in as anyone.

11 Database Best Secure! Assuming random salt and cryptography done correctly. loginencrypted password salt alexdjfxsfr2NIMmu2W0B1USHXMZ3JgkOTDW jonxGBfwjvdK3A4VgjYTCRJRrLR0MpdcgtX amberxKomGtFIOELCO3ccUySPSuyJPQoIfgE5 michael3FI1IiNJZ6QjAkdQzj1NfuTT7uJxpCaV

12 Database Takeaways Never store plain text password! Compare encrypted passwords instead. Use a random salt to prevent information leaks.

13 Authentication verify log in credentials 1. User submits login and password via form 2. PHP retrieves posted information via $_POST[’login'] and $_POST[’password'] 3. PHP runs database query: SELECT * from Users WHERE login = $_POST[’login’] 4. Authenticate Encrypt(POST[’password’], $row[‘salt’]) == $row[‘encrypted_password] HUGE security vulnerability, Use prepared statements instead http://php.net/manual/en/pdo.prepared-statements.php

14 What if we visit a new page? We would need to ask for credentials again. What a bother! Why? Because HTTP is stateless. How do we fix this? Sessions.

15 What should happen After logging in initially we want to be able to stay logged in until we close the browser or log out. Also want the site to remember who we are.

16 We need some sort of state, memory, between page loads. Could store: as cookies And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as. Cookies to the Rescue? User ID599 Logged In1 Issues? Totally insecure! Could log in as who ever you want.

17 We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state! Could store: But how do we identify which stored record belongs to a particular client? Need to store an identifier too. Sessions server-side state User ID599 Session IDUser ID 1599 2458

18 What’s Inside Each? CookiesSessions Session IDUser ID 1599 2458 Session ID1 Secure? Nope. Can change our cookie to hijack other sessions.

19 What’s Should Be Inside Each. CookiesSessions Session KeyUser ID XGnCmUE2dV3sTnA6599 KHmA2XiScwgPy70w458 Session KeyXGnCmUE2dV3sTnA6 Secure? Yes. As long as our Session Key is random and sufficiently long (enough entropy).

20 Initial Interaction Front End Form Back End PHP for Authentication Database login, password search for user with given login encrypted password authenticated session key

21 Subsequent Interaction Browser Back End PHP for Authentication session id private web page Session KeyXGnCmUE2dV3sTnA6 Session KeyUser ID XGnCmUE2dV3sTnA6599 KHmA2XiScwgPy70w458

22 Session Hijacking Session key is king. If someone is able to determine the value of your session key they can send the same cookie to the server and have access to your full account. Firesheep

23 Making Session Hijacking Harder Unique Request Headers HTTPS Also session fixation attacks...

24 Writing Your Own Authentication System Is very hard Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security Look for a reputable plugin Use establish encryption techniques

25 Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Semester Wrap Up

26 What We’ve Learned HTML CSS jQuery (JavaScript) PHP MySQL

27 What Now? Forget PHP Want to build Facebook in a month, by yourself? Learn: Ruby on Rails! Still need all our knowledge of HTML, CSS, jQuery, MySQL CS169 Great rails resource: http://railscasts.com/

28 Keep in Touch… Let me know what you’re up to… What you’re building… If you need advice… Facebook Group or email

29 Additional Resources General Web Design/Development Tutorials: http://www.smashingmagazine.com/ http://www.smashingmagazine.com/ Photoshop Tutorials: http://www.tutorial9.net/http://www.tutorial9.net/ Awesome Web Designs: http://cssremix.com/http://cssremix.com/

30 Feedback #2 (under assignments) Lecture Code: http://decal.aw-industries.com

Download ppt "Feedback #2 (under assignments) Lecture Code:"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Work on Final Projects Lecture Code:

Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Work on Final Projects Lecture Code:
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!

INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.

By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google