Redirect, Routing, and Authentication

Slides:



Advertisements
Similar presentations
JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Getting PHP Hosting Dr. Charles Severance. What We Need We want to be able to put up our application on the web so anyone can access our URL (and so we.
Uploading Files. Why? By giving a user the option to upload a file you are creating an interactive page You can enable users have a greater web experience.
Forms and PHP Dr. Charles Severance
Cookies, Sessions, and Authentication Dr. Charles Severance
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.
Cookies & Session Web Technology
CSC 2720 Building Web Applications Server-side Scripting with PHP.
PHP. $_GET / $_POST / $_SESSION PHP uses predefined variables to provide access to important information about the server and requests from a browser.
Web Database Programming Week 7 Session Management & Authentication.
Introduction to Dynamic Web Content Dr. Charles Severance
ITM © Port, Kazman1 ITM 352 More on Forms Processing.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
Sessions and Cookies State Management, Cookies, Sessions, Hidden Fields SoftUni Team Technical Trainers Software University
Forms Overview, Query string, Submitting arrays, PHP & HTML, Input types, Redirecting the user Mario Peshev Technical Trainer Software.
Database Access Control IST2101. Why Implementing User Authentication? Remove a lot of redundancies in duplicate inputs of database information – Your.
1 DIG 3134 Lecture 6: Maintaining State Michael Moshell University of Central Florida Media Software Design.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
Forms and PHP Dr. Charles Severance
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Introduction to Dynamic Web Content Dr. Charles Severance
Sessions and cookies MIS 3501, Spring 2016 Jeremy Shafer Department of MIS Fox School of Business Temple University 4/12/2016.
Dr. Charles Severance Using Handlebars Dr. Charles Severance
C.R.U.D. Charles Severance
Form Processing in PHP Dr. Charles Severance
Brad N Greenwood, PhD MBA
Sessions and cookies MIS 3501 Jeremy Shafer Department of MIS
Introduction to Dynamic Web Content
Tonga Institute of Higher Education IT 141: Information Systems
PHP Arrays Dr. Charles Severance
CHAPTER 5 SERVER SIDE SCRIPTING
Our Technologies Dr. Charles Severance
Forms and PHP.
Cascading Style Sheets
Getting PHP Hosting Dr. Charles Severance
Using JSON Dr. Charles Severance
PHP: Login FdSc Module 109 Server side scripting and Database design
18 – Web applications: Server-side code (PhP)
EXCEPTION HANDLING IN SERVER CLIENT PROGRAMMING
HTTP Parameters and Arrays
Web Design and Development
PHP Arrays Dr. Charles Severance
Cookies and Sessions Charles Severance
Cross-Site Forgery
Super Global Arrays Forms and PHP "Superglobal" arrays (6.4.1)
Super Global Arrays Forms and PHP "Superglobal" arrays (6.4.1)
PHP / MySQL Introduction
>> PHP: Form Processing
Web Programming– UFCFB Lecture 22
PHP Overview PHP: Hypertext Preprocessor Server-Side Scripting
Tutorial (4): HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
ISC440: Web Programming 2 Server-side Scripting PHP 3
PHP Namespaces (in progress)
Web Systems Development (CSC-215)
Dr. John P. Abraham Professor UTRGV eCommerce CSCI 6314
Forms and PHP.
Introduction to Dynamic Web Content
Tonga Institute of Higher Education IT 141: Information Systems
Using jQuery Dr. Charles Severance
Tonga Institute of Higher Education IT 141: Information Systems
HTTP GET vs POST SE-2840 Dr. Mark L. Hornick.
Sessions and cookies MIS 3501 Jeremy Shafer Department of MIS
Cookies and sessions Saturday, February 23, 2019Saturday, February 23,
PHP-II.
PHP By Prof. B.A.Khivsara Note: The material to prepare this presentation has been taken from internet and are generated only for students reference and.
Cross Site Request Forgery (CSRF)
Model View Controller (MVC)
Presentation transcript:

Redirect, Routing, and Authentication Dr. Charles Severance www.wa4e.com http://www.wa4e.com/code/route.zip Add cookie-less sessions...

Time DOM MySql Apache PHP PDO RRC/HTTP SQL Browser Web Server Database Server DOM MySql Send Request Apache Parse Response PHP sessfun.php JavaScript PDO RRC/HTTP SQL

HTTP Status Codes http://www.dr-chuck.com/page1.htm - 200 OK http://www.wa4e.com/nowhere.htm - 404 Not Found http://www.drchuck.com/ - 302 Found / Moved Also known as “redirect” https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

HTTP Location Header If your application has not yet sent any data, it can send a special header as part of the HTTP Response. The redirect header includes a URL that the browser is supposed to forward itself to. It was originally used for web sites that moved from one URL to another. http://en.wikipedia.org/wiki/URL_redirection

<= Error http://php.net/manual/en/function.header.php

http://www.wa4e.com/code/sessions/redir1.php <?php session_start(); if ( isset($_POST['where']) ) { if ( $_POST['where'] == '1' ) { header("Location: redir1.php"); return; } else if ( $_POST['where'] == '2' ) { header("Location: redir2.php?parm=123"); } else { header("Location: http://www.dr-chuck.com"); } ?> <html> <body style="font-family: sans-serif;"> <p>I am Router Two...</p> <form method="post"> <p><label for="inp9">Where to go? (1-3)</label> <input type="text" name="where" id="inp9" size="5"></p> <input type="submit"/></form> </body> http://www.wa4e.com/code/sessions/redir1.php

After we entered "2" and pressed "Submit" Two pages were retrieved

Second page

POST / Redirect / GET

POST / Refresh /  Once you do a POST, if you refresh, the browser will re-send the POST data a second time. The user gets a pop-up that tries to explain what is about to happen.

Press Submit then Refresh guess.php

No Double Posts Typically POST requests are adding or modifying data whilst GET requests view data It may be dangerous to do the same POST twice (say withdrawing funds from a bank account) So the browser insists on asking the user (out of your control) Kind of an ugly UX / bad usability

POST Redirect Rule The simple rule for pages intended for a browser is to never generate a page with HTML content when the app receives POST data Must redirect somewhere - even to the same script - forcing the browser to make a GET after the POST

https://en.wikipedia.org/wiki/Post/Redirect/Get

(Review) http://www.wa4e.com/code/sessions/guess.php <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Trick for integer / numeric parameters $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?> <html> <head> <title>A Guessing game</title> </head> <body style="font-family: sans-serif;"> <p>Guessing game...</p> if ( $message !== false ) { echo("<p>$message</p>\n"); <form method="post"> <p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" size="40" <?php echo 'value="' . htmlentities($guess) . '"'; /></p> <input type="submit"/> </form> </body> (Review) http://www.wa4e.com/code/sessions/guess.php

(Review) <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Trick for integer / numeric parameters $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?> <html> <head> <title>A Guessing game</title> </head> <body style="font-family: sans-serif;"> <p>Guessing game...</p> if ( $message !== false ) { echo("<p>$message</p>\n"); <form method="post"> <p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" size="40" <?php echo 'value="' . htmlentities($guess) . '"'; /></p> <input type="submit"/> </form> </body> <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Nifty trick $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?> <html> ... (Review)

(Review) ... ?> <html> <head> <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Trick for integer / numeric parameters $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?> <html> <head> <title>A Guessing game</title> </head> <body style="font-family: sans-serif;"> <p>Guessing game...</p> if ( $message !== false ) { echo("<p>$message</p>\n"); <form method="post"> <p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" size="40" <?php echo 'value="' . htmlentities($guess) . '"'; /></p> <input type="submit"/> </form> </body> ... ?> <html> <head> <title>A Guessing game</title> </head> <body style="font-family: sans-serif;"> <p>Guessing game...</p> <?php if ( $message !== false ) { echo("<p>$message</p>\n"); } <form method="post"> <p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" size="40" <?php echo 'value="' . htmlentities($guess) . '"'; /></p> <input type="submit"/> </form> </body> (Review)

(Improved) http://www.wa4e.com/code/sessions/guess2.php <?php session_start(); if ( isset($_POST['guess']) ) { $guess = $_POST['guess'] + 0; $_SESSION['guess'] = $guess; if ( $guess == 42 ) { $_SESSION['message'] = "Great job!"; } else if ( $guess < 42 ) { $_SESSION['message'] = "Too low"; } else { $_SESSION['message'] = "Too high..."; } header("Location: guess2.php"); return; ?> <html> (Improved) http://www.wa4e.com/code/sessions/guess2.php

guess2.php <html> <head> <title>A Guessing game</title> </head> <body style="font-family: sans-serif;"> <?php $guess = isset($_SESSION['guess']) ? $_SESSION['guess'] : ''; $message = isset($_SESSION['message']) ? $_SESSION['message'] : false; ?> <p>Guessing game...</p> if ( $message !== false ) { echo("<p>$message</p>\n"); } <form method="post"> <p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" size="40" <?php echo 'value="' . htmlentities($guess) . '"';?> /></p> <input type="submit"/> </form> </body> guess2.php

Enter "41" and press "Submit"

Press "Refresh"

Time DOM Sessions: MySql Apache PHP PDO RRC/HTTP SQL Browser Web Server Database Server DOM Sessions: 42 6f 3e MySql Send Request Apache Parse Response PHP sessfun.php PDO JavaScript RRC/HTTP SQL

Login and Logout Using Session

Session / Authentication Having a session is not the same as being logged in. Generally you have a session the instant you connect to a web site. The Session ID cookie is set when the first page is delivered. Login puts user information in the session (stored in the server). Logout removes user information from the session.

Time DOM Sessions: MySql Apache PHP PDO RRC/HTTP SQL Browser Web Server Database Server DOM Sessions: 42 6f 3e MySql Send Request Apache Parse Response PHP sessfun.php PDO JavaScript RRC/HTTP SQL

Simple application with login, logout, and flash using session http://www.wa4e.com/code/route/app.php http://www.wa4e.com/code/route.zip

login.php <body style="font-family: sans-serif;"> <h1>Please Log In</h1> <?php     if ( isset($_SESSION["error"]) ) {         echo('<p style="color:red">'.$_SESSION["error"]."</p>\n");         unset($_SESSION["error"]);     }     if ( isset($_SESSION["success"]) ) {         echo('<p style="color:green">'.$_SESSION["success"]."</p>\n");         unset($_SESSION["success"]); ?> <form method="post"> <p>Account: <input type="text" name="account" value=""></p> <p>Password: <input type="text" name="pw" value=""></p> <!-- password is umsi --> <p><input type="submit" value="Log In"> <a href="app.php">Cancel</a></p> </form> </body>

http://www.wa4e.com/code/sessions/login.php <?php session_start();     if ( isset($_POST["account"]) && isset($_POST["pw"]) ) {         unset($_SESSION["account"]); // Logout current user         if ( $_POST['pw'] == 'umsi' ) {             $_SESSION["account"] = $_POST["account"];             $_SESSION["success"] = "Logged in.";             header( 'Location: app.php' ) ;             return;         } else {             $_SESSION["error"] = "Incorrect password.";             header( 'Location: login.php' ) ;         }     } ?> <html> http://www.wa4e.com/code/sessions/login.php

POST-Redirect-GET-Flash POST detects error in input data and puts a message into $_SESSION and redirects GET sees the message in the session, displays it and then deletes it Flash = “Seen once”

Redirect Time Browser C123 Apache login.php $_POST Bad PW $_SESSION (S123) Bad PW

Time Browser C123 Browser C123 Apache login.php $_POST login.php $_SESSION (S123) Bad PW

Flash Time Browser C123 Browser C123 Apache login.php $_POST login.php Bad PW Apache login.php $_POST login.php $_SESSION (S123)

Refresh Time Browser C123 Browser C123 Browser C123 Apache login.php Bad PW Apache login.php $_POST login.php login.php $_SESSION (C123)

login.php <body style="font-family: sans-serif;"> <h1>Please Log In</h1> <?php     if ( isset($_SESSION["error"]) ) {         echo('<p style="color:red">'.$_SESSION["error"]."</p>\n");         unset($_SESSION["error"]);     }     if ( isset($_SESSION["success"]) ) {         echo('<p style="color:green">'.$_SESSION["success"]."</p>\n");         unset($_SESSION["success"]); ?> <form method="post"> <p>Account: <input type="text" name="account" value=""></p> <p>Password: <input type="text" name="pw" value=""></p> <!-- password is umsi --> <p><input type="submit" value="Log In"> <a href="app.php">Cancel</a></p> </form> </body> login.php

<html><head></head><body style="font-family: sans-serif;"> <h1>Cool Application</h1> <?php     if ( isset($_SESSION["success"]) ) {         echo('<p style="color:green">'.$_SESSION["success"]."</p>\n");         unset($_SESSION["success"]);     }     // Check if we are logged in!     if ( ! isset($_SESSION["account"]) ) { ?>        <p>Please <a href="login.php">Log In</a> to start.</p>     <?php } else { ?>        <p>This is where a cool application would be.</p>        <p>Please <a href="logout.php">Log Out</a> when you are done.</p>     <?php } ?> </body></html> http://www.wa4e.com/code/sessions/app.php

Redirect Time Browser C123 Apache login.php $_POST account Logged In $_SESSION (S123) account Logged In

Time Browser C123 Browser C123 Apache login.php $_POST app.php $_SESSION (S123) account Logged In

Flash Time Browser C123 Browser C123 Apache login.php $_POST app.php $_SESSION (S123) account

Refresh Time Browser C123 Browser C123 Browser C123 Apache login.php $_POST app.php app.php $_SESSION (C123) account

logout.php <?php session_start(); session_destroy();     header("Location: app.php");

<html><head></head><body style="font-family: sans-serif;"> <h1>Cool Application</h1> <?php     if ( isset($_SESSION["success"]) ) {         echo('<p style="color:green">'.$_SESSION["success"]."</p>\n");         unset($_SESSION["success"]);     }     // Check if we are logged in!     if ( ! isset($_SESSION["account"]) ) { ?>        <p>Please <a href="login.php">Log In</a> to start.</p>     <?php } else { ?>        <p>This is where a cool application would be.</p>        <p>Please <a href="logout.php">Log Out</a> when you are done.</p>     <?php } ?> </body></html> http://www.wa4e.com/code/sessions/app.php

Summary Redirect Post-Redirect-Get Flash Messages Sessions and Login / Logout

Acknowledgements / Contributions These slides are Copyright 2010- Charles R. Severance (www.dr-chuck.com) as part of www.wa4e.com and made available under a Creative Commons Attribution 4.0 License. Please maintain this slide in all copies of the document to comply with the attribution requirements of the license. If you make a change, feel free to add your name and organization to the list of contributors on this page as you republish the materials. Initial Development: Charles Severance, University of Michigan School of Information Insert new Contributors and Translators here including names and dates Continue new Contributors and Translators here Note from Chuck. Please retain and maintain this page as you remix and republish these materials. Please add any of your own improvements or contributions.

Copyright Attribution Cookie Image: By brainloc on sxc.hu (Bob Smith) (stock.xchng) [CC BY 2.5 (http://creativecommons.org/licenses/by/2.5)], via Wikimedia Commons

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.