PHP+SQL 4. Password management (password hashing)

PHP+SQL 4. Password management (password hashing)
Stateless HTTP, storage methods Forms, Login form File uploads Forum OE NIK PHP/Symfony

Storing passwords Probably the most sensitive data
Storing passwords in a cleartext form is not allowed! Any website/program that is capable of sending forgotten passwords uses cleartext passwords! Aim: password authentication without storing the password itself Symmetric Encryption vs Assymetric Encryption  not secure, the key have to be stored somewhere ... Instead: one-way transformation. If we store f(pw) instead of pw, and pw cannot be guessed from f(pw), then it is safe The user enters his password (pw2), which is correct, if f(pw)==f(pw2) pw=password=jelszó OE NIK PHP/Symfony

Hashing functions Aim: search an f(x) function that is
Cannot be decrypted (one-way): it is not possible to find x from f(x) Finite output (typically bit) : we want to store f(x) in a database, it cannot be infinite, even if x can take any possible values Theoretical aim: f(x)==f(y)  x==y Practical aim: the probability of a collision must be the smallest possible (collision  in case of x!=y, the outputs f(x)==f(y) are the same (infinite possible inputs, finite output – still, we want few collisions, and collisions MUST NOT BE COMPUTABLE!!!) pw=password=jelszó OE NIK PHP/Symfony

Hashing functions MD5: 128bit, , theoretically insecure (since 1996), practically insecure (since 2004), very easy to crack (since , since 2009 only a few seconds are needed (time factor 220,96) SHA1: 160bit, exists since 1995, used since ~2000. Theoretically insecure (since 2005, , public collision since 23/FEB/2017), despite this, it is a very common hashing function SHA256/224, SHA512/384 (SHA2): since 2001, probably has the same mathematical weakness SHA3: Completely new algorithm (Keccak), since , arbitrary output length (MD6?), weak support OE NIK PHP/Symfony

Hashing functions in PHP
Default output: hexadecimal byte sequence string hash ( string $algo , string $data [, bool $raw_output = false ] ) Possibility to use multiple algorithms Faster Can't use salt string crypt ( string $str [, string $salt ] ) The main algorithms are here (SHA1, SHA2) Since 5.3 PHP can use its own implementation salt-compatible *STILL* no SHA3! pw=password=jelszó OE NIK PHP/Symfony

Hashing – today Storing passwords in cleartext form is FORBIDDEN
Today, textual user database is enough user|hash pairs, today it is enough to use the basic sha1() e.g. or simply echo sha1("password") After this, read the file using file($path, FILE_IGNORE_NEW_LINES) then explode("|", $row) pw=password=jelszó OE NIK PHP/Symfony

STATELESS HTTP OE NIK PHP/Symfony

COOKIES Data storage in the browser: key, value, validity time, validity domain Setting values: from Javascript or PHP code (in the latter case, it is sent in the HTTP response headers) Getting values: in every HTTP Request, the browser sends all valid cookies, these go into the $_COOKIE array NOT SECURE to store sensitive data, because anyone can see and mondify the data Typically: visitor tracking, feedback of javascript variables, advertisement data, „tracking cookie” OE NIK PHP/Symfony

COOKIES OE NIK PHP/Symfony

COOKIES setcookie(name, value, expire, path, domain);
setcookie("user", "Alex Porter", time()+3600); echo $_COOKIE["user"]; print_r($_COOKIE); setcookie("user", "", time()-3600); php_cookies.asp Symfony: $request->cookies  ALTERNATIVE: HTML5/JS local storage OE NIK PHP/Symfony

SESSION variables Data storage on the server: key, value
Initializing a session: session_start() Session identification: SID (Session ID), the browser sends it with every HTTP Request ($_COOKIE or $_GET) Accessing values: The browser sends the SID, the session_start() loads the data associated with the given SID into the $_SESSION array The client only stores the SID, the associated data are on the server  more secure OE NIK PHP/Symfony

SESSION variables OE NIK PHP/Symfony

SESSIONS session_start();
if (isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo "Views=". $_SESSION['views']; unset($_SESSION['views']); session_destroy(); setcookie(session_name(), '', time() – 86400); Symfony: $this->get('session') // controller class OE NIK PHP/Symfony

SESSION HIJACKING $sesskey =$_SERVER['HTTP_USER_AGENT']; $sesskey.=$_SERVER['REMOTE_ADDR']; $sesskey.='HELLOBELLO'; $sesskey=sha1($sesskey); if(isset($_SESSION['sesskey'])) { if ($_SESSION['sesskey']!=$sesskey) { die("NOT ALLOWED"); } } else { $_SESSION['sesskey']=$sesskey; } OE NIK PHP/Symfony

Login form We should create the login.html form: username and password + submit button Create the controller: it should displays the login form, if the user is not logged in, otherwise it should display a logout link at the bottom Create form… The symfony way! OE NIK PHP/Symfony

Symfony forms The DISPLAY of forms is a task of the view, but there are TONS of features that should be done in the BACKEND (validation, type-check, select values) To do this, the symfony framework provides the powerful FORM BUILDER component Create a DTO class with appropriate getters/setters Use a form builder to define the fields (names+types, the names must match the properties in the DTO) Render the form (in the view) Process the POST data, if exists OE NIK PHP/Symfony

Fields /** * @var string */ protected $userName; protected $userPass;
OE NIK PHP/Symfony

Properties /** string */ public function getUserName() { return $this->userName; } string $userName public function setUserName($userName) $this->userName = $userName; OE NIK PHP/Symfony

Form Builder /** FormInterface */ public function getForm() { $builder = $this->formFactory-> createBuilder(FormType::class, $this); // set action, method if needed $builder->add('userName', TextType::class); $builder->add('userPass', PasswordType::class); $builder->add('Send', SubmitType::class); return $builder->getForm(); } OE NIK PHP/Symfony

Rendering TWIG must receive a FormView: $twigParams = array( 'form'=>$formInstance->createView() ); $this->render('some.html.twig', $twigParams); {% form_theme form 'form_table_layout.html.twig' %} {{ form_start(form) }} {{ form_widget(form) }} {{ form_end(form) }} form_label, form_errors OE NIK PHP/Symfony

Handling form input (in the controller)
Usually the same route is used to display and process the form After processing the data: add flash message (via session!) + redirect the user Automatic CSRF protection! OE NIK PHP/Symfony

Possible input types Text Fields TextType TextareaType EmailType
IntegerType MoneyType NumberType PasswordType PercentType SearchType UrlType RangeType OE NIK PHP/Symfony

Possible input types Choice Fields ChoiceType EntityType CountryType
LanguageType LocaleType / TimezoneType / CurrencyType Date and Time Fields DateType DateTimeType TimeType BirthdayType OE NIK PHP/Symfony

Possible input types Other Fields CheckboxType FileType RadioType
HiddenType Field Groups CollectionType RepeatedType Buttons ButtonType ResetType SubmitType OE NIK PHP/Symfony

Possible input parameter
Required Label Max_length Extra HTML attributes (attr) OE NIK PHP/Symfony

Upload file An HTML form should be used to upload files (files are sent after the request, just like the POST) MAX_FILE_SIZE, upload_max_filesize, max_file_uploads , post_max_size, LimitRequestBody OE NIK PHP/Symfony

Upload Example – Uploader.php
$file="myfile"; $DIR_destination="images/" IF (valid upload file){ $name=create local name move uploaded file to location IF (jpeg) create thumbnail } Redirect user back to index.php OE NIK PHP/Symfony

Valid file? OE NIK PHP/Symfony

Create local name OE NIK PHP/Symfony

Move file? move_uploaded_file($old_name, $new_name);
move_uploaded_file($_FILES[$file]["tmp_name"], $DIR_destination.$name); OE NIK PHP/Symfony

Create Thumbnail? OE NIK PHP/Symfony

In Symfony $form->add('connFile', FileType::class, array('required'=>false)); When calling $form->handleRequest($request); the framework puts the file as a class into the DTO (OR: $request->files) UploadedFile $file */ $file = $oneEntity->getConnFile(); if ($file) { $fileName = ConnDTO::createFileName( $file->getClientOriginalName()); $file->move( $this->getParameter('uploads_directory'), $fileName); $oneEntity->setConnFile($fileName); } OE NIK PHP/Symfony

MyForum Create a users.txt file with user|hash pairs (sha1, we'll create a php script, but we could use too (no line breaks!) ) Not logged in users can't access anything Topic titles are one-liners, we store them in the topics.txt file Messages are one-liners, we store them in the msgs_{$topicnumber}.txt file (format: user|time|message ) OE NIK PHP/Symfony

CONTROLLER ACTIONS PWGEN Generate the password file LOGIN
Perform login check, redirect with flash message+username in session LOGOUT Destroy session, redirect with message in session LIST List all topics, possibility to add new topic or jump into topic LIST/{TOPIC} List all messages of single topic, possibility to post new message OE NIK PHP/Symfony

HOMEWORK FOR POINTS (deadline: 4th of April, 23:59)
DELTOPIC Delete topic (ATTENTION! What if I have topicA + topicB + topicC in topics.txt, so msgs_0.txt , msgs_1.txt and msgs_2.txt files are present. If I delete topicB from the topics.txt file, then for topicC I will open file msgs_1.txt instead of msgs_2.txt … Solution: introduce order-independent topic ID, or rename files) REGISTER Registration (form + actual registration … use RepeatedType::class with PasswordType::class) PWMOD Password change (form + actual modification) OE NIK PHP/Symfony

LET'S CODE! OE NIK PHP/Symfony

OE NIK PHP/Symfony

PHP+SQL 4. Password management (password hashing)

Similar presentations

Presentation on theme: "PHP+SQL 4. Password management (password hashing)"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

PHP+SQL 4. Password management (password hashing)

Similar presentations

Presentation on theme: "PHP+SQL 4. Password management (password hashing)"— Presentation transcript:

Similar presentations

About project

Feedback