Feedback #2 (under assignments) Lecture Code:

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Attacking Session Management Juliette Lessing
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Work on Final Projects Lecture Code:
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Session Management A290/A590, Fall /25/2014.
INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Databases & SQL Lecture Code:
Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
JavaScript – Quiz #9 Lecture Code:
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.
Dynamic Pages – Quiz #11 Feedback (under assignments) Lecture Code:
Cookies & Session Web Technology
Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.
Sessions in PHP – Page 1 of 13CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: Sessions in PHP Reading: Williams.
Web Database Programming Week 7 Session Management & Authentication.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Introduction to PHP.
The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Access Control IST2101. Why Implementing User Authentication? Remove a lot of redundancies in duplicate inputs of database information – Your.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
The basics of knowing the difference CLIENT VS. SERVER.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
CS 174: Web Programming November 2 Class Meeting Department of Computer Science San Jose State University Fall 2015 Instructor: Ron Mak
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
COOKIES AND SESSIONS.
LOGIN FORMS.
Cookies Tutorial Cavisson Systems Inc..
Tonga Institute of Higher Education IT 141: Information Systems
Sessions and cookies (part 2)
Cookies and Sessions Charles Severance
Cross-Site Forgery
Web Programming Language
IS 360 Course Introduction
Web Systems Development (CSC-215)
Tonga Institute of Higher Education IT 141: Information Systems
Web Systems Development (CSC-215)
CSC 495/583 Topics of Software Security Intro to Web Security
Tonga Institute of Higher Education IT 141: Information Systems
Web Programming Language
Cross Site Request Forgery (CSRF)
Presentation transcript:

Feedback #2 (under assignments) Lecture Code:

Today’s Agenda Course Feedback Announcements Building a Login System Wrap Up

Announcements Last Day of Class Today Interest in Presenting Final Projects? FP Deadlines 12/6 Photoshop Layout 12/13 Entire, Fully-Functional Project

Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Building a Login System

Login Systems

Functionality Login Verify Credentials Logout Remember Me Register

Components Front End Form Back End PHP for Authentication Database login, password search for user with given login encrypted password authenticated session id

Form Browser Code

Database loginpassword alexiliketowork jonpeaches amberpeaches michaeldatabasesarecool Totally insecure! What if someone hacks your database? Can discover all passwords. Can log in as anyone.

Database Improved Better, but… Leaks information. loginencrypted password alexdjfxsfr2NIMmu2W0 jonxGBfwjvdK3A4VgjY amberxGBfwjvdK3A4VgjY michael3FI1IiNJZ6QjAkdQ If someone hacks database: Or can they? Can notice Jon and Amber have same password. CanNOT log in as anyone.

Database Best Secure! Assuming random salt and cryptography done correctly. loginencrypted password salt alexdjfxsfr2NIMmu2W0B1USHXMZ3JgkOTDW jonxGBfwjvdK3A4VgjYTCRJRrLR0MpdcgtX amberxKomGtFIOELCO3ccUySPSuyJPQoIfgE5 michael3FI1IiNJZ6QjAkdQzj1NfuTT7uJxpCaV

Database Takeaways Never store plain text password! Compare encrypted passwords instead. Use a random salt to prevent information leaks.

Authentication verify log in credentials 1. User submits login and password via form 2. PHP retrieves posted information via $_POST[’login'] and $_POST[’password'] 3. PHP runs database query: SELECT * from Users WHERE login = $_POST[’login’] 4. Authenticate Encrypt(POST[’password’], $row[‘salt’]) == $row[‘encrypted_password] HUGE security vulnerability, Use prepared statements instead

What if we visit a new page? We would need to ask for credentials again. What a bother! Why? Because HTTP is stateless. How do we fix this? Sessions.

What should happen After logging in initially we want to be able to stay logged in until we close the browser or log out. Also want the site to remember who we are.

We need some sort of state, memory, between page loads. Could store: as cookies And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as. Cookies to the Rescue? User ID599 Logged In1 Issues? Totally insecure! Could log in as who ever you want.

We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state! Could store: But how do we identify which stored record belongs to a particular client? Need to store an identifier too. Sessions server-side state User ID599 Session IDUser ID

What’s Inside Each? CookiesSessions Session IDUser ID Session ID1 Secure? Nope. Can change our cookie to hijack other sessions.

What’s Should Be Inside Each. CookiesSessions Session KeyUser ID XGnCmUE2dV3sTnA6599 KHmA2XiScwgPy70w458 Session KeyXGnCmUE2dV3sTnA6 Secure? Yes. As long as our Session Key is random and sufficiently long (enough entropy).

Initial Interaction Front End Form Back End PHP for Authentication Database login, password search for user with given login encrypted password authenticated session key

Subsequent Interaction Browser Back End PHP for Authentication session id private web page Session KeyXGnCmUE2dV3sTnA6 Session KeyUser ID XGnCmUE2dV3sTnA6599 KHmA2XiScwgPy70w458

Session Hijacking Session key is king. If someone is able to determine the value of your session key they can send the same cookie to the server and have access to your full account. Firesheep

Making Session Hijacking Harder Unique Request Headers HTTPS Also session fixation attacks...

Writing Your Own Authentication System Is very hard Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security Look for a reputable plugin Use establish encryption techniques

Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Semester Wrap Up

What We’ve Learned HTML CSS jQuery (JavaScript) PHP MySQL

What Now? Forget PHP Want to build Facebook in a month, by yourself? Learn: Ruby on Rails! Still need all our knowledge of HTML, CSS, jQuery, MySQL CS169 Great rails resource:

Keep in Touch… Let me know what you’re up to… What you’re building… If you need advice… Facebook Group or

Additional Resources General Web Design/Development Tutorials: Photoshop Tutorials: Awesome Web Designs:

Feedback #2 (under assignments) Lecture Code:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.