Download presentation
Presentation is loading. Please wait.
Published byGriffin Franklin Modified over 9 years ago
1
Feedback #2 (under assignments) Lecture Code: http://decal.aw-industries.com
2
Today’s Agenda Course Feedback Announcements Building a Login System Wrap Up
3
Announcements Last Day of Class Today Interest in Presenting Final Projects? FP Deadlines 12/6 Photoshop Layout 12/13 Entire, Fully-Functional Project
4
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Building a Login System
5
Login Systems
6
Functionality Login Verify Credentials Logout Remember Me Register
7
Components Front End Form Back End PHP for Authentication Database login, password search for user with given login encrypted password authenticated session id
8
Form Browser Code
9
Database loginpassword alexiliketowork jonpeaches amberpeaches michaeldatabasesarecool Totally insecure! What if someone hacks your database? Can discover all passwords. Can log in as anyone.
10
Database Improved Better, but… Leaks information. loginencrypted password alexdjfxsfr2NIMmu2W0 jonxGBfwjvdK3A4VgjY amberxGBfwjvdK3A4VgjY michael3FI1IiNJZ6QjAkdQ If someone hacks database: Or can they? Can notice Jon and Amber have same password. CanNOT log in as anyone.
11
Database Best Secure! Assuming random salt and cryptography done correctly. loginencrypted password salt alexdjfxsfr2NIMmu2W0B1USHXMZ3JgkOTDW jonxGBfwjvdK3A4VgjYTCRJRrLR0MpdcgtX amberxKomGtFIOELCO3ccUySPSuyJPQoIfgE5 michael3FI1IiNJZ6QjAkdQzj1NfuTT7uJxpCaV
12
Database Takeaways Never store plain text password! Compare encrypted passwords instead. Use a random salt to prevent information leaks.
13
Authentication verify log in credentials 1. User submits login and password via form 2. PHP retrieves posted information via $_POST[’login'] and $_POST[’password'] 3. PHP runs database query: SELECT * from Users WHERE login = $_POST[’login’] 4. Authenticate Encrypt(POST[’password’], $row[‘salt’]) == $row[‘encrypted_password] HUGE security vulnerability, Use prepared statements instead http://php.net/manual/en/pdo.prepared-statements.php
14
What if we visit a new page? We would need to ask for credentials again. What a bother! Why? Because HTTP is stateless. How do we fix this? Sessions.
15
What should happen After logging in initially we want to be able to stay logged in until we close the browser or log out. Also want the site to remember who we are.
16
We need some sort of state, memory, between page loads. Could store: as cookies And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as. Cookies to the Rescue? User ID599 Logged In1 Issues? Totally insecure! Could log in as who ever you want.
17
We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state! Could store: But how do we identify which stored record belongs to a particular client? Need to store an identifier too. Sessions server-side state User ID599 Session IDUser ID 1599 2458
18
What’s Inside Each? CookiesSessions Session IDUser ID 1599 2458 Session ID1 Secure? Nope. Can change our cookie to hijack other sessions.
19
What’s Should Be Inside Each. CookiesSessions Session KeyUser ID XGnCmUE2dV3sTnA6599 KHmA2XiScwgPy70w458 Session KeyXGnCmUE2dV3sTnA6 Secure? Yes. As long as our Session Key is random and sufficiently long (enough entropy).
20
Initial Interaction Front End Form Back End PHP for Authentication Database login, password search for user with given login encrypted password authenticated session key
21
Subsequent Interaction Browser Back End PHP for Authentication session id private web page Session KeyXGnCmUE2dV3sTnA6 Session KeyUser ID XGnCmUE2dV3sTnA6599 KHmA2XiScwgPy70w458
22
Session Hijacking Session key is king. If someone is able to determine the value of your session key they can send the same cookie to the server and have access to your full account. Firesheep
23
Making Session Hijacking Harder Unique Request Headers HTTPS Also session fixation attacks...
24
Writing Your Own Authentication System Is very hard Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security Look for a reputable plugin Use establish encryption techniques
25
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Semester Wrap Up
26
What We’ve Learned HTML CSS jQuery (JavaScript) PHP MySQL
27
What Now? Forget PHP Want to build Facebook in a month, by yourself? Learn: Ruby on Rails! Still need all our knowledge of HTML, CSS, jQuery, MySQL CS169 Great rails resource: http://railscasts.com/
28
Keep in Touch… Let me know what you’re up to… What you’re building… If you need advice… Facebook Group or email
29
Additional Resources General Web Design/Development Tutorials: http://www.smashingmagazine.com/ http://www.smashingmagazine.com/ Photoshop Tutorials: http://www.tutorial9.net/http://www.tutorial9.net/ Awesome Web Designs: http://cssremix.com/http://cssremix.com/
30
Feedback #2 (under assignments) Lecture Code: http://decal.aw-industries.com
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.