Controlling Web Site Access Using Logins CS 320

Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP page that validates the login PHP page queries database for username and password  If found, stores their userid (customerid, or whatever is the primary key identifying them) in a session variable and displays the next page  If not found, returns them to the initial login page with an appropriate message (Username or password incorrect)  Example: gin.php gin.php

Basic Concepts Session variables Working with session variables Command to forward the user to a different page PHP include command Preventing a user from directly accessing a page that requires a login What is a SQL Injection attack?

Session Variables When you request a Web page, the Web server creates a session object corresponding to your browser session  This information is stored in the Web server's main memory  Each time you connect to a Web site, you create a new session  If you connect to the same Web site on the same client computer using 2 different browsers, each browser makes a separate session

Session Variables Sessions have attributes that you can retrieve and display using program commands A program running on the Web server can create session variables that store data values associated with a specific browser session  Values are stored in Web server RAM and associated with the session object

Session Timeout Intervals By default, server/browser sessions "time out" (close) after a specific period of inactivity:  Microsoft IIS: 20 minutes  Tomcat: 30 minutes  You can change these values to longer/shorter ones At that point, the session closes and the session object is destroyed  All session variable data is lost!

Login Approach Using a Session Variable Run a database query to determine if username/password is valid If it is, create a session variable Variable is then checked (to see if it exists) by other pages requiring login  All of these pages redirect to the login page if this variable isn’t found

Using session variables in PHP Before storing or retrieving session variables  Start a new session or resume the existing session with this php code at the top of every page using session variables – it must be before any html or text is sent  Registers the user's session with the server  Assigns a UID (unique identification number) for the user's session if this is the first page requested by this browser from the server

PHP Session Variable Commands To create a session variable: To create a session variable and assign an initial value: To read a session variable and assign its value to a PHP program variable:

PHP Session Variable Commands To unset a session variable To test for existence (assumes already assigned the session variable value to a variable named $currUserID) <? php if (is_null($currUserID) == true) { //wasn't found, do something … } ?>

PHP command redirecting to a different page header("Location:Login.php"); What does this command really do?  From the Web server’s PHP page to the browser: Sends a request to the user’s browser asking the user’s browser to in turn send back a request for the specified page  From the browser to the Web server: Receives the request from the server and sends back to the Web server a request for the specified page  And from the Web server to the browser: Sends back the newly requested page Must be placed before any html is sent to the browser!

Login page sequence Candy_Login.php 1.Receive user and password values as parameters 2.Run query to retrieve CUST_ID based on username and password values 3.If succeed: i. Create session variable = CUST_ID value ii. Go to next page in application If fail: i. Go back to CandyLogin.php and display an error message processCandyLogin.php

Candy_Login.php Code <?php session_start(); //remake the session variable in case it already exists unset($_SESSION["cust_id"]); ?> Candy Login <?php error_reporting(NULL); $msg = $_REQUEST["msg"]; if($msg == "invalidLogin") { ?> Invalid Login - Please try again

processCandyLogin.php Code <?php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST["cust_username"]; $cust_password = $_REQUEST["cust_password"]; //Add code to include the file that contains the connection commands include("Includes/connectMySQL.php"); //Add code to create and execute the database query $query = "SELECT cust_id FROM candy_customer ". "WHERE cust_username = '". $cust_username. "'". " AND cust_password = '". $cust_password. "'"; $result = mysql_query($query) or die(mysql_error()); //determine number of rows retrieved $num_rows=mysql_num_rows($result); mysql_close();

processCandyLogin.php Code //continued from previous slide //add code to validate login if($num_rows > 0) { $row = mysql_fetch_array($result); $_SESSION["cust_id"] = $row["cust_id"]; header("Location:Menu.php"); } else { header("Location:candy_login.php?msg=invalidLogin"); } ?>

Candy_Login.php Code revisted <?php session_start(); //remake the session variable in case it already exists unset($_SESSION["cust_id"]); ?> Candy Login <?php error_reporting(NULL); $msg = $_REQUEST["msg"]; if($msg == "invalidLogin") { ?> Invalid Login - Please try again

Preventing a user from directly accessing a page that requires a login Test for the existence of the session variable Put this code at the top of pages that shouldn't be accessed unless the user has logged in successfully <?php session_start(); //attempt to retrieve the session variable value $userid = $_SESSION["cust_id"]; if(is_null($userid) == true) { // they haven't logged in - send them back to the login page header("Location:candy_login.php"); die(); } ?> Candy Login …

Moving database connection code to a separate file using an include PHP include command allows inserting contents of a file within the current file <?php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST["cust_username"]; $cust_password = $_REQUEST["cust_password"]; //Add code to include the file that contains the connection commands include("Includes/connectMySQL.php");

Moving login verification to separate file Contents of the included file: <?php // add code connecting to the MySQL database mysql_connect("dario.cs.uwec.edu",“STEVENDE","******") or die("Could not connect to MySQL. The reported SQL error is:". mysql_error()); mysql_select_db(“STEVENDE") or die("Could not connect to the database. The reported SQL error is: ". mysql_error()); ?> Includes/connectMySQL.php

What is a SQL Injection Attack? A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands Possible when a query is concatenated together from user inputs and tests to see if any rows are retrieved

Performing the Attack: Enter a stolen username Enter password as: Search condition sent to DB (always evaluates as true):  All user rows returned to application  If application checking for 0 vs. more than 0 rows, attacker is in! Foo’ OR ‘1=1 SELECT * FROM users WHERE username = ‘STEVENDE' AND Password = ‘Foo’ OR ‘1=1’

Database Dark Humor:

Bottom Line: TEST for SQL injection attacks! If your system allows them:  Research how to prevent based on your PHP version