Download presentation
Presentation is loading. Please wait.
Published byMelvin Hawkins Modified over 9 years ago
1
V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1
2
V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 2
3
V 1.0 Storing passwords Probably the most sensitive data Storing passwords in a cleartext form is not allowed! Any website/program that is capable of sending forgotten passwords uses cleartext passwords! Aim: password authentication without storing the password itself Symmetric Encryption vs Assymetric Encryption not secure, the key have to be stored somewhere... Instead: one-way transformation. If we store f(pw) instead of pw, and pw cannot be guessed from f(pw), then it is safe The user enters his password (pw2), which is correct, if f(pw)==f(pw2) OE NIK 2013 3
4
V 1.0 Hashing functions Aim: search an f(x) function that is –Cannot be decrypted (one-way): it is not possible to find x from f(x) –Finite output (typically 128-512 bit) : we want to store f(x) in a database, it cannot be infinite, even if x can take any possible values –Theoretical aim: f(x)==f(y) x==y –Practical aim: the probability of a collision must be the smallest possible (collision in case of x!=y, the outputs f(x)==f(y) are the same (infinite possible inputs, finite output – still, we want few collisions) OE NIK 2013 4
5
V 1.0 Hashing functions Practical examples –MD5: 128bit, 1991-2004, theoretically insecure (since 1996), practically insecure (since 2004), very easy to crack (since 2005-2007, since 2009 only a few seconds are needed (time factor 2 20,96 ) –SHA1: 160bit, exists since 1995, used since ~2000. Theoretically insecure (since 2005, 2 51 ), despite this, it is a very common hashing function –SHA256/224, SHA512/384 (SHA2): since 2001, probably has the same mathematical weakness –SHA3: Completely new algorithm (Keccak), since 2012.10.02., arbitrary output length (MD6?) OE NIK 2013 5
6
V 1.0 Hashing functions in PHP Default output: hexadecimal byte sequence string hash ( string $algo, string $data [, bool $raw_output = false ] ) –Possibility to use multiple algorithms –Faster –Can't use salt string crypt ( string $str [, string $salt ] ) –The main algorithms are here (SHA1, SHA2) –Since 5.3 PHP can use its own implementation –salt-compatible OE NIK 2013 6
7
V 1.0 Hashing in PHP $password="almafa"; $salt=""; for($i=1; $i<=16; $i++) $salt.=chr(rand(ord('A'), ord('Z'))); $hash=crypt($password, '$5$rounds=5000$'.$salt.'$'); //$5$ = SHA256, $6$ = SHA512 $result1=crypt("kortefa", $hash); $result2=crypt("almafa", $hash); echo "Password: {$password} "; echo "Salt: {$salt} "; echo "Hash: {$hash} "; echo "Result1: {$result1} "; echo "Result2: {$result2} "; OE NIK 2013 7
8
V 1.0 Hashing in PHP Password: almafa Salt: KPABPDIJFTCVFABU Hash: $5$rounds=5000$KPABPDIJFTCVFABU$RWNvee2gQ0Vhi18 lmZjw/.J3h1k12o2c/.JmUK1lEhD Result1: $5$rounds=5000$KPABPDIJFTCVFABU$2BUvHZFXlo3AP7U LueqRWKXgRwjOsiSPNc316YXOSn7 Result2: $5$rounds=5000$KPABPDIJFTCVFABU$RWNvee2gQ0Vhi18 lmZjw/.J3h1k12o2c/.JmUK1lEhD OE NIK 2013 8
9
V 1.0 Hashing – this semester Storing passwords in cleartext form is FORBIDDEN Textual user database is enough user|hash pairs, it is enough to use the basic sha1() e.g. http://bit.ly/9vM3cA or simply echo sha1("password") After this, read the file using file($path, FILE_IGNORE_NEW_LINES) then explode("|", $row) OE NIK 2013 9
10
V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 10
11
V 1.0OE NIK 2013 11 STATELESS HTTP
12
V 1.0 COOKIES Data storage in the browser: key, value, validity time, validity domain Setting values: from Javascript or PHP code (in the latter case, it is sent in the HTTP response headers) Getting values: in every HTTP Request, the browser sends all valid cookies, these go into the $_COOKIE array NOT SECURE to store sensitive data, because anyone can see and mondify the data Typically: visitor tracking, feedback of javascript variables, advertisement data, „tracking cookie” OE NIK 2013 12
13
V 1.0 COOKIES OE NIK 2013 13
14
V 1.0 COOKIES setcookie(name, value, expire, path, domain); setcookie("user", "Alex Porter", time()+3600); echo $_COOKIE["user"]; print_r($_COOKIE); setcookie("user", "", time()-3600); http://www.w3schools.com/php/ php_cookies.asp ALTERNATIVE: HTML5 local storage 14 OE NIK 2013
15
V 1.0 SESSION variables Data storage on the server: key, value Initializing a session: session_start() Session identification: SID (Session ID), the browser sends it with every HTTP Request ($_COOKIE or $_GET) Accessing values: The browser sends the SID, the session_start() loads the data associated with the given SID into the $_SESSION array The client only stores the SID, the associated data are on the server more secure Session hijacking? OE NIK 2013 15
16
V 1.0 SESSION variables 16 OE NIK 2013
17
V 1.0 SESSIONS session_start(); if (isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo "Views=". $_SESSION['views']; unset($_SESSION['views']); session_destroy(); setcookie(session_name(), '', time() – 86400); http://www.w3schools.com/php/php_sessions.asp 17 OE NIK 2013
18
V 1.0 SESSION HIJACKING $sesskey =$_SERVER['HTTP_USER_AGENT']; $sesskey.=$_SERVER['REMOTE_ADDR']; $sesskey.='HELLOBELLO'; $sesskey=sha1($sesskey); if(isset($_SESSION['sesskey'])) { if ($_SESSION['sesskey']!=$sesskey) { die("NOT ALLOWED"); } } else { $_SESSION['sesskey']=$sesskey; } 18 OE NIK 2013
19
V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 19
20
V 1.0OE NIK 2013 20 Login form Create a users.txt file with user|hash pairs (sha1, we'll create a php script, but we could use http://bit.ly/9vM3cA too (no line breaks!) ) Create the login.html form: username and password + submit button Create the index.php script: it displays the login form, if the user is not logged in, otherwise it displays the contents of a textfile diary.txt and a logout link at the bottom The logged-in users must be able to edit the textfile
21
V 1.0 $_GET['action'] LOGIN ANYTHING ELSE LOGIN FORM OR LOGOUT LINK DESTROY SESSION LOGOUT USER INPUT? YES NO ERROR (echo) Check USER/PASS (+ set $_SESSION) REDIRECT USER (header + exit) INDEX.PHP REDIRECT USER (header + exit) 21 OE NIK 2013
22
V 1.0 $_SESSION['user'] SET NOT SET LOGIN FORM LOGIN FORM OR LOGOUT LINK? TEXT + LOGOUT LINK 22 OE NIK 2013 We have to add extra actions for text editing...
23
V 1.0 OE NIK 2013 LET'S CODE! 23
24
V 1.0 OE NIK 2013 24
25
25 OE NIK 2013
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.