Website Security ISYS 475

Authentication Authentication is the process that determines the identity of a user.

Forms Authentication Use username and password to authenticate user. Pages cannot be accessed unless the user has the proper authentication. Without authentication, user is directed to a login page. If authenticated, user is redirected back to the requested page.

Forms Authentication Flow User Authenti cated? Login Page No, redirect to Website Yes Authenti cated? No, redirect to Yes

Using Browser’s Login Page Start a session: session_start(); Use the header() function to send an "Authentication Required" message to browser causing it to pop up a login page. Once the user has filled in a username and a password, the page will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW set to the username and password in the $_SERVER superglobal variable. Compare the entered password with the password in the database and set true/false to a boolean variable in $_session: – $_SESSION['is_logged_in']=true;

Browser’s Login Form

MySQL Table: users Fields: –CID: CHAR 3 –Username: Varchar 32 –Password: varchar 32

<?php session_start(); if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/ Unauthorized'); exit; } else { $db = new PDO('mysql:host=localhost;dbname=salesdb', 'root', ''); $user = $_SERVER['PHP_AUTH_USER']; $pwd = $_SERVER['PHP_AUTH_PW']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in']=true; else { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/ Unauthorized'); //echo 'Text to send if user hits Cancel button'; exit; } } ?> authenticateUser.php

All protected pages require checking $_SESSION['is_logged_in] <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:authenticateUser.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:authenticateUser.php"); die(); } ?> Welcome to this "Other Page"!!!

Use a Login Page login-with-php-and-mysql/

Login Page Welcome to My.Com Login Page Please enter user name and password Username: Password:

Home Page:index.php <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:login.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:login.php"); die(); } ?> Welcome to my.Com Home Page First test: Is the variable isset($_SESSION['is_logged_in']) set? Second test: Is the variable ($_SESSION['is_logged_in’] true?

checkpassword.php to verify password <?php session_start(); if($_SERVER['REQUEST_METHOD'] == "POST") { $dsn = 'mysql:host=localhost;dbname=salesdb'; $username = 'root'; $password = ''; $db = new PDO($dsn, $username, $password); $user = $_POST['username']; $pwd = $_POST['password']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in'] = TRUE; else $_SESSION['is_logged_in'] = FALSE; } if(!($_SESSION['is_logged_in'])) { echo "Not authorized"; header("location:login.php"); } else header("location:index.php"); ?>

Logout Page <?php session_start(); session_destroy(); header("location:login.php"); ?>

Password Hashing crypt function: crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system. password_hash functio: password_hash() uses a strong hashing algorithm and is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

Security Issues security