Presentation is loading. Please wait.

Presentation is loading. Please wait.

Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.

Similar presentations


Presentation on theme: "Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user."— Presentation transcript:

1 Website Security ISYS 475

2 Authentication Authentication is the process that determines the identity of a user.

3 Forms Authentication Use username and password to authenticate user. Pages cannot be accessed unless the user has the proper authentication. Without authentication, user is directed to a login page. If authenticated, user is redirected back to the requested page.

4 Forms Authentication Flow User Authenti cated? Login Page No, redirect to Website Yes Authenti cated? No, redirect to Yes

5 Using Browser’s Login Page Start a session: session_start(); Use the header() function to send an "Authentication Required" message to browser causing it to pop up a login page. Once the user has filled in a username and a password, the page will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW set to the username and password in the $_SERVER superglobal variable. Compare the entered password with the password in the database and set true/false to a boolean variable in $_session: – $_SESSION['is_logged_in']=true;

6 Browser’s Login Form

7 MySQL Table: users Fields: –CID: CHAR 3 –Username: Varchar 32 –Password: varchar 32

8 <?php session_start(); if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/1.0 401 Unauthorized'); exit; } else { $db = new PDO('mysql:host=localhost;dbname=salesdb', 'root', ''); $user = $_SERVER['PHP_AUTH_USER']; $pwd = $_SERVER['PHP_AUTH_PW']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in']=true; else { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/1.0 401 Unauthorized'); //echo 'Text to send if user hits Cancel button'; exit; } } ?> authenticateUser.php

9 All protected pages require checking $_SESSION['is_logged_in] <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:authenticateUser.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:authenticateUser.php"); die(); } ?> Welcome to this "Other Page"!!!

10 Use a Login Page http://studge.com/create-a-site-authentication- login-with-php-and-mysql/

11 Login Page Welcome to My.Com Login Page Please enter user name and password Username: Password:

12 Home Page:index.php <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:login.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:login.php"); die(); } ?> Welcome to my.Com Home Page First test: Is the variable isset($_SESSION['is_logged_in']) set? Second test: Is the variable ($_SESSION['is_logged_in’] true?

13 checkpassword.php to verify password <?php session_start(); if($_SERVER['REQUEST_METHOD'] == "POST") { $dsn = 'mysql:host=localhost;dbname=salesdb'; $username = 'root'; $password = ''; $db = new PDO($dsn, $username, $password); $user = $_POST['username']; $pwd = $_POST['password']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in'] = TRUE; else $_SESSION['is_logged_in'] = FALSE; } if(!($_SESSION['is_logged_in'])) { echo "Not authorized"; header("location:login.php"); } else header("location:index.php"); ?>

14 Logout Page <?php session_start(); session_destroy(); header("location:login.php"); ?>

15 Password Hashing http://php.net/manual/en/faq.passwords.php#faq.passwords.bestpracticehttp://php.net/manual/en/faq.passwords.php#faq.passwords.bestpractice crypt function: crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system. password_hash functio: password_hash() uses a strong hashing algorithm and is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

16 Security Issues http://www.phpfreaks.com/tutorial/php- security


Download ppt "Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user."

Similar presentations


Ads by Google