Sessions, Cookies, &.htaccess IT 210

Procedural Issues  Quiz #3 Today!  Homework #3 Due Friday at midnight UML for Lab 4  Withdraw Deadline is Wed, Feb 8 th  Resources and strategies when getting stuck?

Problem  HTTP is stateless  This causes problems when you want the server to “remember” a user (e.g., checkout baskets, customized presentation).  This problem is solved by using cookies and sessions

Sessions and Cookies

PHP Sessions  Remember: http is memoryless  “Sessions” provide temporary memory for web site access Created by server (e.g., PHP) Associative array (name  value pairs) Expires after ~15 minutes of inactivity Removed when browser is closed  Stored in cookies or on query string. Query string doesn’t allow for back button and has security problems UID, and program defined variables saved

Cookies are used for…  Session Management  Personalization  Web analytics

Cookies  Cookies Small text file stored in a file on client (“cookie jar”) Name/value pairs with expiration date, location, & source indicated. Can be secure (encrypted when HTTPS) or not  First party (from domain you’re visiting) vs Third Party (from different domain)  Session cookies (end when you close browser) vs persistent cookies (stored for long time and used when you revisit site)

Cookies  Set with: <?php //Calculate 60 days in the future //seconds * minutes * hours * days + current time $inTwoMonths = 60 * 60 * 24 * 60 + time(); setcookie('lastVisit', date("G:i - m/d/y"), $inTwoMonths); ?>  Retrieve with: $_COOKIE

Our goal: secure login  Secure?  Use PHP to read form, and check the results against a database If valid, set variable to ‘true’, otherwise ‘false’ Column NameTypeNullPrimary KeyExtra user_idint(8)NoPKAUTO usernamevarchar(11)No passwordvarchar(32)No

What is.htaccess  Method for remote web-server control  Support multiple users  A simple text file in a directory Called.htaccess

.htaccess  Built into Apache Other servers have other means Disabled by default  Put file into a directory to make site settings Controlled by closest file in the hierarchy

Performance Hit  If htaccess is turned on in Apache then Apache will look in every directory for an htaccess file and read it if it is there. If a file is requested out of a directory /www/htdocs/example, Apache must look for:  /.htaccess  /www/.htaccess  /www/htdocs/.htaccess  /www/htdocs/example/.htaccess  Lower file directives overrode higher ones

On the other hand …  It does allow users to control their own sub-directory tree without affecting others  There are other ways to do this but they require system-level access to Apache— which you may not want to give to users who each control their own sub-tree (website)

Use.htaccess to…  Customize error messages  Password protect sites  Block access by IP addresses  Block rippers and bots  Prevent hot linking (e.g., another site to embed images from your site)

Error messages ErrorDocument 400 /errors/badrequest.html ErrorDocument 401 /errors/authreqd.html ErrorDocument 403 /errors/forbid.html ErrorDocument 404 “Not here bucko !” ErrorDocument 500 /errors/serverx.html

Access control  Modify.htaccess: AuthUserFile /usr/local/myhome/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require valid-user  Now, create a password file

.htpasswd  Put in a safe location  Username, password pairs Passwords are encrypted using a hash Eg: It210:cwQgdU78tJoCc See online site for generating passwordsonline site

Other commands  Block IPs order allow,deny deny from deny from allow from all  Block rippers RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] RewriteCond %{HTTP_USER_AGENT} ^WebSauger RewriteRule ^.* - [F,L]

Finally  Block hot links These steal your intellectual property and your bandwidth! RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^ [NC] RewriteRule \.(gif|jpg|js|css)$ - [F]