V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1.

Slides:



Advertisements
Similar presentations
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Advertisements

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
V 1.0 OE NIK 2013 PHP+SQL 6. Forum 1. V 1.0 Hashing – this semester Storing passwords in cleartext form is FORBIDDEN Textual user database is enough user|hash.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Session Management A290/A590, Fall /25/2014.
CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.
Php cookies & sessions.
15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.
Creating Databases for Web Applications cookie examples lab time: favorites cookies & Sessions class time for group work/questions on projects Next class:
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Feedback #2 (under assignments) Lecture Code:
School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.
Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification.
PHP2. PHP Form Handling The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input. Name: Age:
Cookies & Session Web Technology
Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
PHP Workshop ‹#› Maintaining State in PHP Part II - Sessions.
CSC 2720 Building Web Applications Server-side Scripting with PHP.
SessionsPHPApril 2010 : [‹#›] Maintaining State in PHP Part II - Sessions.
PHP. $_GET / $_POST / $_SESSION PHP uses predefined variables to provide access to important information about the server and requests from a browser.
COOKIES and SESSIONS. COOKIES A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each.
Sessions in PHP – Page 1 of 13CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: Sessions in PHP Reading: Williams.
Web Database Programming Week 7 Session Management & Authentication.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
PHP-based Authentication
Sessions and Cookies State Management, Cookies, Sessions, Hidden Fields SoftUni Team Technical Trainers Software University
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
How to maintain state in a stateless web Shirley Cohen
SESSIONS 27/2/12 Lecture 8. ? Operator Similar to the if statement but returns a value derived from one of two expressions by a colon. Syntax: (expression)
PHP and Sessions. Session – a general definition The GENERAL definition of a session in the “COMPUTER WORLD” is: The interactions (requests and responses)
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
COOKIES AND SESSIONS.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
Unit 4 Working with data. Form Element HTML forms are used to pass data to a server. A form can contain input elements like text fields, checkboxes, radio-buttons,
Programming for the Web Cookies & Sessions Dónal Mulligan BSc MA
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
PHP+SQL 4. Password management (password hashing)
CHAPTER 5 SERVER SIDE SCRIPTING
PHP Secure Communications
Web Programming Language
Open Source Programming
Cookies BIS1523 – Lecture 23.
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
<?php require("header.htm"); ?>
Web Programming Language
Cookies and sessions Saturday, February 23, 2019Saturday, February 23,
Web Programming Language
Presentation transcript:

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 2

V 1.0 Storing passwords Probably the most sensitive data Storing passwords in a cleartext form is not allowed! Any website/program that is capable of sending forgotten passwords uses cleartext passwords! Aim: password authentication without storing the password itself Symmetric Encryption vs Assymetric Encryption  not secure, the key have to be stored somewhere... Instead: one-way transformation. If we store f(pw) instead of pw, and pw cannot be guessed from f(pw), then it is safe The user enters his password (pw2), which is correct, if f(pw)==f(pw2) OE NIK

V 1.0 Hashing functions Aim: search an f(x) function that is –Cannot be decrypted (one-way): it is not possible to find x from f(x) –Finite output (typically bit) : we want to store f(x) in a database, it cannot be infinite, even if x can take any possible values –Theoretical aim: f(x)==f(y)  x==y –Practical aim: the probability of a collision must be the smallest possible (collision  in case of x!=y, the outputs f(x)==f(y) are the same (infinite possible inputs, finite output – still, we want few collisions) OE NIK

V 1.0 Hashing functions Practical examples –MD5: 128bit, , theoretically insecure (since 1996), practically insecure (since 2004), very easy to crack (since , since 2009 only a few seconds are needed (time factor 2 20,96 ) –SHA1: 160bit, exists since 1995, used since ~2000. Theoretically insecure (since 2005, 2 51 ), despite this, it is a very common hashing function –SHA256/224, SHA512/384 (SHA2): since 2001, probably has the same mathematical weakness –SHA3: Completely new algorithm (Keccak), since , arbitrary output length (MD6?) OE NIK

V 1.0 Hashing functions in PHP Default output: hexadecimal byte sequence string hash ( string $algo, string $data [, bool $raw_output = false ] ) –Possibility to use multiple algorithms –Faster –Can't use salt string crypt ( string $str [, string $salt ] ) –The main algorithms are here (SHA1, SHA2) –Since 5.3 PHP can use its own implementation –salt-compatible OE NIK

V 1.0 Hashing in PHP $password="almafa"; $salt=""; for($i=1; $i<=16; $i++) $salt.=chr(rand(ord('A'), ord('Z'))); $hash=crypt($password, '$5$rounds=5000$'.$salt.'$'); //$5$ = SHA256, $6$ = SHA512 $result1=crypt("kortefa", $hash); $result2=crypt("almafa", $hash); echo "Password: {$password} "; echo "Salt: {$salt} "; echo "Hash: {$hash} "; echo "Result1: {$result1} "; echo "Result2: {$result2} "; OE NIK

V 1.0 Hashing in PHP Password: almafa Salt: KPABPDIJFTCVFABU Hash: $5$rounds=5000$KPABPDIJFTCVFABU$RWNvee2gQ0Vhi18 lmZjw/.J3h1k12o2c/.JmUK1lEhD Result1: $5$rounds=5000$KPABPDIJFTCVFABU$2BUvHZFXlo3AP7U LueqRWKXgRwjOsiSPNc316YXOSn7 Result2: $5$rounds=5000$KPABPDIJFTCVFABU$RWNvee2gQ0Vhi18 lmZjw/.J3h1k12o2c/.JmUK1lEhD OE NIK

V 1.0 Hashing – this semester Storing passwords in cleartext form is FORBIDDEN Textual user database is enough user|hash pairs, it is enough to use the basic sha1() e.g. or simply echo sha1("password") After this, read the file using file($path, FILE_IGNORE_NEW_LINES) then explode("|", $row) OE NIK

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 10

V 1.0OE NIK STATELESS HTTP

V 1.0 COOKIES Data storage in the browser: key, value, validity time, validity domain Setting values: from Javascript or PHP code (in the latter case, it is sent in the HTTP response headers) Getting values: in every HTTP Request, the browser sends all valid cookies, these go into the $_COOKIE array NOT SECURE to store sensitive data, because anyone can see and mondify the data Typically: visitor tracking, feedback of javascript variables, advertisement data, „tracking cookie” OE NIK

V 1.0 COOKIES OE NIK

V 1.0 COOKIES setcookie(name, value, expire, path, domain); setcookie("user", "Alex Porter", time()+3600); echo $_COOKIE["user"]; print_r($_COOKIE); setcookie("user", "", time()-3600); php_cookies.asp  ALTERNATIVE: HTML5 local storage 14 OE NIK 2013

V 1.0 SESSION variables Data storage on the server: key, value Initializing a session: session_start() Session identification: SID (Session ID), the browser sends it with every HTTP Request ($_COOKIE or $_GET) Accessing values: The browser sends the SID, the session_start() loads the data associated with the given SID into the $_SESSION array The client only stores the SID, the associated data are on the server  more secure Session hijacking? OE NIK

V 1.0 SESSION variables 16 OE NIK 2013

V 1.0 SESSIONS session_start(); if (isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo "Views=". $_SESSION['views']; unset($_SESSION['views']); session_destroy(); setcookie(session_name(), '', time() – 86400); 17 OE NIK 2013

V 1.0 SESSION HIJACKING $sesskey =$_SERVER['HTTP_USER_AGENT']; $sesskey.=$_SERVER['REMOTE_ADDR']; $sesskey.='HELLOBELLO'; $sesskey=sha1($sesskey); if(isset($_SESSION['sesskey'])) { if ($_SESSION['sesskey']!=$sesskey) { die("NOT ALLOWED"); } } else { $_SESSION['sesskey']=$sesskey; } 18 OE NIK 2013

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 19

V 1.0OE NIK Login form Create a users.txt file with user|hash pairs (sha1, we'll create a php script, but we could use too (no line breaks!) ) Create the login.html form: username and password + submit button Create the index.php script: it displays the login form, if the user is not logged in, otherwise it displays the contents of a textfile diary.txt and a logout link at the bottom The logged-in users must be able to edit the textfile

V 1.0 $_GET['action'] LOGIN ANYTHING ELSE LOGIN FORM OR LOGOUT LINK DESTROY SESSION LOGOUT USER INPUT? YES NO ERROR (echo) Check USER/PASS (+ set $_SESSION) REDIRECT USER (header + exit) INDEX.PHP REDIRECT USER (header + exit) 21 OE NIK 2013

V 1.0 $_SESSION['user'] SET NOT SET LOGIN FORM LOGIN FORM OR LOGOUT LINK? TEXT + LOGOUT LINK 22 OE NIK 2013 We have to add extra actions for text editing...

V 1.0 OE NIK 2013 LET'S CODE! 23

V 1.0 OE NIK

25 OE NIK 2013

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.