Download presentation
Presentation is loading. Please wait.
Published byGabriel Black Modified over 9 years ago
1
Website Security ISYS 475
2
Authentication Authentication is the process that determines the identity of a user.
3
Forms Authentication Use username and password to authenticate user. Pages cannot be accessed unless the user has the proper authentication. Without authentication, user is directed to a login page. If authenticated, user is redirected back to the requested page.
4
Forms Authentication Flow User Authenti cated? Login Page No, redirect to Website Yes Authenti cated? No, redirect to Yes
5
Using Browser’s Login Page Start a session: session_start(); Use the header() function to send an "Authentication Required" message to browser causing it to pop up a login page. Once the user has filled in a username and a password, the page will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW set to the username and password in the $_SERVER superglobal variable. Compare the entered password with the password in the database and set true/false to a boolean variable in $_session: – $_SESSION['is_logged_in']=true;
6
Browser’s Login Form
7
MySQL Table: users Fields: –CID: CHAR 3 –Username: Varchar 32 –Password: varchar 32
8
<?php session_start(); if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/1.0 401 Unauthorized'); exit; } else { $db = new PDO('mysql:host=localhost;dbname=salesdb', 'root', ''); $user = $_SERVER['PHP_AUTH_USER']; $pwd = $_SERVER['PHP_AUTH_PW']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in']=true; else { header('WWW-Authenticate: Basic realm="My.Com"'); header('HTTP/1.0 401 Unauthorized'); //echo 'Text to send if user hits Cancel button'; exit; } } ?> authenticateUser.php
9
All protected pages require checking $_SESSION['is_logged_in] <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:authenticateUser.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:authenticateUser.php"); die(); } ?> Welcome to this "Other Page"!!!
10
Use a Login Page http://studge.com/create-a-site-authentication- login-with-php-and-mysql/
11
Login Page Welcome to My.Com Login Page Please enter user name and password Username: Password:
12
Home Page:index.php <?php session_start(); if (!(isset($_SESSION['is_logged_in']))) { header("Location:login.php"); die(); } if (!($_SESSION['is_logged_in'])) { header("Location:login.php"); die(); } ?> Welcome to my.Com Home Page First test: Is the variable isset($_SESSION['is_logged_in']) set? Second test: Is the variable ($_SESSION['is_logged_in’] true?
13
checkpassword.php to verify password <?php session_start(); if($_SERVER['REQUEST_METHOD'] == "POST") { $dsn = 'mysql:host=localhost;dbname=salesdb'; $username = 'root'; $password = ''; $db = new PDO($dsn, $username, $password); $user = $_POST['username']; $pwd = $_POST['password']; $query = "SELECT COUNT(*) FROM users WHERE username='$user' AND password='$pwd'"; $results = $db->query($query); $result = $results->fetchColumn(); if ($result==1) $_SESSION['is_logged_in'] = TRUE; else $_SESSION['is_logged_in'] = FALSE; } if(!($_SESSION['is_logged_in'])) { echo "Not authorized"; header("location:login.php"); } else header("location:index.php"); ?>
14
Logout Page <?php session_start(); session_destroy(); header("location:login.php"); ?>
15
Password Hashing http://php.net/manual/en/faq.passwords.php#faq.passwords.bestpracticehttp://php.net/manual/en/faq.passwords.php#faq.passwords.bestpractice crypt function: crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system. password_hash functio: password_hash() uses a strong hashing algorithm and is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().
16
Security Issues http://www.phpfreaks.com/tutorial/php- security
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.