"> ">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification.

Published byRosaline Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification."— Presentation transcript:

1 Chapter 6: Authentications

2 Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification Result

3 Training Course, CS, NCTU 3 Getting Username and Password (1)  Two methods to get username and password from browser. HTTP Authentication with PHP Taking use of HTML ‘ ’ tag.  HTTP Authentication with PHP Taking use of HTTP Header Headers Sent:  WWW-Authenticate: Basic realm="My Realm”  HTTP/1.0 401 Unauthorized Example <?php header('WWW-Authenticate: Basic realm="PHP Tranning"'); header("HTTP/1.0 401 Unauthorized"); ?>

4 Training Course, CS, NCTU 4 Getting Username and Password (2) To get user’s input  Using the super-global: $_SERVER[‘'PHP_AUTH_USER ’]  The basic HTTP authentication example <?php if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; } else { echo " Hello {$_SERVER['PHP_AUTH_USER']}. "; echo " You entered {$_SERVER['PHP_AUTH_PW']} as your password. "; } ?>

5 Training Course, CS, NCTU 5 Getting Username and Password (3)  Digest HTTP Authentication example –When using HTTP Basic Authentication, the username-password pair is effectively transmitted in the clear. –Using digest authentication, your password is never sent across the network in the clear, but is always transmitted as an MD5 digest of the user's password. –This mechanism is alternative authentication method. Hence, We don’t describe more detail about it. –If you are interesting in this method, you can refer the example of PHP manual.

6 Training Course, CS, NCTU 6 Getting Username and Password (4)  Taking use of html ‘ ’ tag Using POST method to get user’s input.  Note: GET is not recommended because it appears in URL. Example Username: Password: <?php echo " Hello {$_POST['user']}. "; echo " You entered {$_POST['pass']}", " as your password. "; ?>

7 Training Course, CS, NCTU 7 Getting Username and Password (5)  Practicing Creating a HTML page in order to input username, password, and others data which you want to know, for example, name, birthday, mail address, or simple math question. Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself. When it received username, password, and others user’s input, show it on browser http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.html http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.txt http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.php http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.txt

8 Training Course, CS, NCTU 8 Verifying Username and Password (1)  Verification After getting the username and password from users, the coming problem is “how to check” the correctness. How to encrypt the password? We do not mention here.  We only protect service from malformed connections.  Approaches To record the username/password in  PHP Arrays  Databases To take use of existing services.  FTP  POP3/IMAP …etc.

9 Training Course, CS, NCTU 9 Verifying Username and Password (2)  Verification using PHP array To record the “username => password” maps in an array Example $users = array( 'Mary' => 'aa123', 'John' => 'uupx', 'Jerry'=> 'password'); function auth(){ header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; } function check_auth($usr, $pwd){ global $users; if ($users[$usr] == $pwd) return TRUE; else return FALSE; } $un = $_SERVER['PHP_AUTH_USER']; $up = $_SERVER['PHP_AUTH_PW']; if (!isset($un) || !check_auth($un, $up) ) { auth(); } else { echo " Hello {$un}. "; echo " You entered $up as your password. "; }

10 Training Course, CS, NCTU 10 Verifying Username and Password (3)  Verification using databases To record the “username => password” maps in a database table. Example (change the check_auth function in previous example) $link = mysql_connect("localhost", "ystseng", “xxxxxx") or die(mysql_errno($link).": ".mysql_error($link)); mysql_select_db("ystseng_tphp", $link) or die(mysql_errno($link).": ".mysql_error($link)); function check_auth($usr, $pwd){ global $link; $sql = "Select ID From auth Where username='$usr' And password='$pwd'"; if (!($result = mysql_query($sql, $link))) return false; if (mysql_num_rows($result) == 1) return true; else return false; }

11 Training Course, CS, NCTU 11 Verifying Username and Password (4)  Verification using existing FTP Service Try to login to an existing FTP site, if FTP site accepts the username and password, we accept it too. Example (change the check_auth function in previous example) function check_auth($usr, $pwd){ $ftp_server="tphp.cs.nctu.edu.tw"; $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $usr, $pwd); // check connection if ((!$conn_id) || (!$login_result)) $result = FALSE; else $result = TRUE; ftp_close($conn_id); return $result; }

12 Training Course, CS, NCTU 12 Verifying Username and Password (5)  Verification using existing E-Mail Service Try to login to an existing Mail Server, check if the username and password accepted by the E-Mail Server (Protocol: POP3, IMAP). Example (change the check_auth function in previous example) function check_auth($usr, $pwd){ $ret = @(imap_open("{msa.hinet.net:143}", "$usr", "$pwd", OP_HALFOPEN)); $auth = $ret ? true : false; if ($ret) imap_close($ret); return $auth; }

13 Training Course, CS, NCTU 13 Verifying Username and Password (6)  Practicing Creating a HTML page in order to input username, password, and others data which you want to know, for example, name, birthday, mail address, or simple math question. Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself. When authentication information is correct, it will show “hello message” and visited counter. This visited counter can store in cookie (remember to set expire time) Hits:  You can use array variable in your PHP code or database to store username and password which be compared with user’s input. http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.html http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.txt http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.php http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.txt

14 Training Course, CS, NCTU 14 Keeping The Verification Result (1)  After authentication, we have to keep username and password that user types. While using the “HTTP Authentication”, browsers will send the user/pass in header before closed. While using “HTML tag”, we have to keep data ourselves. Methods  Using while jumping between pages. –Not suitable, easily loss, and username/password will appear in HTML.  cookie and session mentioned in chapter 4. –Difference »cookie stores in client side, session in server side. »session ends with browser closed, cookie can be kept for longer time.

15 Training Course, CS, NCTU 15 Keeping The Verification Result (2) Examples  We design a function to check whether login successfully  If no, redirect browsing page to login page  Login procedure will check username and password  When it login successfully, it will redirect again to original page.  http://tphp.cs.nctu.edu.tw/tphp/ex6-3_login.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_login.php  http://tphp.cs.nctu.edu.tw/tphp/ex6-3_1.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_1.php  http://tphp.cs.nctu.edu.tw/tphp/ex6-3_2.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_2.php  http://tphp.cs.nctu.edu.tw/tphp/ex6-3_3.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_3.php  http://tphp.cs.nctu.edu.tw/tphp/ex6-3_logout.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_logout.php

16 Training Course, CS, NCTU 16 Keeping The Verification Result (3)  ex6-3_inc.php –library function. It will be include all PHP pages. <?php $users = array("peter" => "1234", "mary" => "abcd"); function check_auth() { global $users; if ($_COOKIE['PASS'] === null || $_COOKIE['USER'] === null) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } if (md5($users[$_COOKIE['USER']]) != $_COOKIE['PASS']) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } ?>

17 Training Course, CS, NCTU 17 Keeping The Verification Result (4)  ex6-3_login.php –Login PHP page. … "> Username: Password: …

18 Training Course, CS, NCTU 18 Keeping The Verification Result (5)  ex6-3_auth.php –Login procedure PHP page. <?php require_once("ex6-3_inc.php"); if ($users[$_POST['USER']] == $_POST['PASS']) { setcookie("USER", $_POST['USER'], time() + 3600); setcookie("PASS", md5($_POST['PASS']), time() + 3600); if ($_POST['URL']) { /* redirect to original page */ header("Location: http://$_SERVER[SERVER_NAME]$_POST[URL]"); } else { header("Location: ex6-3_1.php"); } else { echo "Wrong username or password"; } ?>

19 Training Course, CS, NCTU 19 Keeping The Verification Result (6)  ex6-3_1.php –Data PHP page.  ex6-3_2.php –Data PHP page. <?php require_once("ex6-3_inc.php"); check_auth(); echo "Hello, $_COOKIE[USER], this file is ex6-3_1.php"; ?> <?php require_once("ex6-3_inc.php"); check_auth(); echo "hay!, $_COOKIE[USER], this file is ex6-3_2.php"; ?>

20 Training Course, CS, NCTU 20 Q&A

Download ppt "Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK) Lecture 3 PHP (2) : Functions, User Defined Functions & Environment Variables.

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK) Lecture 3 PHP (2) : Functions, User Defined Functions & Environment Variables.
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.

>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
HTML Form Processing Learning Web Design – Chapter 9, pp 143-163 Squirrel Book – Chapter 11, pp 251-266.

HTML Form Processing Learning Web Design – Chapter 9, pp Squirrel Book – Chapter 11, pp
Chapter 10 Maintaining State Information Using Cookies.

Chapter 10 Maintaining State Information Using Cookies.
Uploading Files. Why? By giving a user the option to upload a file you are creating an interactive page You can enable users have a greater web experience.

Uploading Files. Why? By giving a user the option to upload a file you are creating an interactive page You can enable users have a greater web experience.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D

15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.

Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.

Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Similar presentations

Ads by Google