Download presentation
Presentation is loading. Please wait.
1
Controlling Web Site Access Using Logins CS 320
2
Basic Approach HTML form a php page that collects the username and password Sends them to second PHP page that validates the login PHP page queries database for username and password If found, stores their userid (customerid, or whatever is the primary key identifying them) in a session variable and displays the next page If not found, returns them to the initial login page with an appropriate message (Username or password incorrect) Example: http://leela/CS320/Students/stevende/PHPLogin/candy_lo gin.php http://leela/CS320/Students/stevende/PHPLogin/candy_lo gin.php
3
Basic Concepts Session variables Working with session variables Command to forward the user to a different page PHP include command Preventing a user from directly accessing a page that requires a login What is a SQL Injection attack?
4
Session Variables When you request a Web page, the Web server creates a session object corresponding to your browser session This information is stored in the Web server's main memory Each time you connect to a Web site, you create a new session If you connect to the same Web site on the same client computer using 2 different browsers, each browser makes a separate session
5
Session Variables Sessions have attributes that you can retrieve and display using program commands A program running on the Web server can create session variables that store data values associated with a specific browser session Values are stored in Web server RAM and associated with the session object
6
Session Timeout Intervals By default, server/browser sessions "time out" (close) after a specific period of inactivity: Microsoft IIS: 20 minutes Tomcat: 30 minutes You can change these values to longer/shorter ones At that point, the session closes and the session object is destroyed All session variable data is lost!
7
Login Approach Using a Session Variable Run a database query to determine if username/password is valid If it is, create a session variable Variable is then checked (to see if it exists) by other pages requiring login All of these pages redirect to the login page if this variable isn’t found
8
Using session variables in PHP Before storing or retrieving session variables Start a new session or resume the existing session with this php code at the top of every page using session variables – it must be before any html or text is sent Registers the user's session with the server Assigns a UID (unique identification number) for the user's session if this is the first page requested by this browser from the server
9
PHP Session Variable Commands To create a session variable: To create a session variable and assign an initial value: To read a session variable and assign its value to a PHP program variable:
10
PHP Session Variable Commands To unset a session variable To test for existence (assumes already assigned the session variable value to a variable named $currUserID) <? php if (is_null($currUserID) == true) { //wasn't found, do something … } ?>
11
PHP command redirecting to a different page header("Location:Login.php"); What does this command really do? From the Web server’s PHP page to the browser: Sends a request to the user’s browser asking the user’s browser to in turn send back a request for the specified page From the browser to the Web server: Receives the request from the server and sends back to the Web server a request for the specified page And from the Web server to the browser: Sends back the newly requested page Must be placed before any html is sent to the browser!
12
Login page sequence Candy_Login.php 1.Receive user and password values as parameters 2.Run query to retrieve CUST_ID based on username and password values 3.If succeed: i. Create session variable = CUST_ID value ii. Go to next page in application If fail: i. Go back to CandyLogin.php and display an error message processCandyLogin.php
13
Candy_Login.php Code <?php session_start(); //remake the session variable in case it already exists unset($_SESSION["cust_id"]); ?> Candy Login <?php error_reporting(NULL); $msg = $_REQUEST["msg"]; if($msg == "invalidLogin") { ?> Invalid Login - Please try again
![Candy_Login.php Code < php session_start(); //remake the session variable in case it already exists unset($_SESSION[ cust_id ]); > Candy Login < php error_reporting(NULL); $msg = $_REQUEST[ msg ]; if($msg == invalidLogin ) { > Invalid Login - Please try again](http://images.slideplayer.com./26/8724770/slides/slide_13.jpg "Candy_Login.php Code < php session_start(); //remake the session variable in case it already exists unset($_SESSION[ cust_id ]); > Candy Login < php error_reporting(NULL); $msg = $_REQUEST[ msg ]; if($msg == invalidLogin ) { > Invalid Login - Please try again")
14
processCandyLogin.php Code <?php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST["cust_username"]; $cust_password = $_REQUEST["cust_password"]; //Add code to include the file that contains the connection commands include("Includes/connectMySQL.php"); //Add code to create and execute the database query $query = "SELECT cust_id FROM candy_customer ". "WHERE cust_username = '". $cust_username. "'". " AND cust_password = '". $cust_password. "'"; $result = mysql_query($query) or die(mysql_error()); //determine number of rows retrieved $num_rows=mysql_num_rows($result); mysql_close();
![processCandyLogin.php Code < php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST[ cust_username ]; $cust_password = $_REQUEST[ cust_password ]; //Add code to include the file that contains the connection commands include( Includes/connectMySQL.php ); //Add code to create and execute the database query $query = SELECT cust_id FROM candy_customer .](http://images.slideplayer.com./26/8724770/slides/slide_14.jpg "WHERE cust_username = . $cust_username. . AND cust_password = . $cust_password. ; $result = mysql_query($query) or die(mysql_error()); //determine number of rows retrieved $num_rows=mysql_num_rows($result); mysql_close();.")
15
processCandyLogin.php Code //continued from previous slide //add code to validate login if($num_rows > 0) { $row = mysql_fetch_array($result); $_SESSION["cust_id"] = $row["cust_id"]; header("Location:Menu.php"); } else { header("Location:candy_login.php?msg=invalidLogin"); } ?>
![processCandyLogin.php Code //continued from previous slide //add code to validate login if($num_rows > 0) { $row = mysql_fetch_array($result); $_SESSION[ cust_id ] = $row[ cust_id ]; header( Location:Menu.php ); } else { header( Location:candy_login.php msg=invalidLogin ); } >](http://images.slideplayer.com./26/8724770/slides/slide_15.jpg "processCandyLogin.php Code //continued from previous slide //add code to validate login if($num_rows > 0) { $row = mysql_fetch_array($result); $_SESSION[ cust_id ] = $row[ cust_id ]; header( Location:Menu.php ); } else { header( Location:candy_login.php msg=invalidLogin ); } >")
16
Candy_Login.php Code revisted <?php session_start(); //remake the session variable in case it already exists unset($_SESSION["cust_id"]); ?> Candy Login <?php error_reporting(NULL); $msg = $_REQUEST["msg"]; if($msg == "invalidLogin") { ?> Invalid Login - Please try again
![Candy_Login.php Code revisted < php session_start(); //remake the session variable in case it already exists unset($_SESSION[ cust_id ]); > Candy Login < php error_reporting(NULL); $msg = $_REQUEST[ msg ]; if($msg == invalidLogin ) { > Invalid Login - Please try again](http://images.slideplayer.com./26/8724770/slides/slide_16.jpg "Candy_Login.php Code revisted < php session_start(); //remake the session variable in case it already exists unset($_SESSION[ cust_id ]); > Candy Login < php error_reporting(NULL); $msg = $_REQUEST[ msg ]; if($msg == invalidLogin ) { > Invalid Login - Please try again")
17
Preventing a user from directly accessing a page that requires a login Test for the existence of the session variable Put this code at the top of pages that shouldn't be accessed unless the user has logged in successfully <?php session_start(); //attempt to retrieve the session variable value $userid = $_SESSION["cust_id"]; if(is_null($userid) == true) { // they haven't logged in - send them back to the login page header("Location:candy_login.php"); die(); } ?> Candy Login …
![Preventing a user from directly accessing a page that requires a login Test for the existence of the session variable Put this code at the top of pages that shouldn t be accessed unless the user has logged in successfully < php session_start(); //attempt to retrieve the session variable value $userid = $_SESSION[ cust_id ]; if(is_null($userid) == true) { // they haven t logged in - send them back to the login page header( Location:candy_login.php ); die(); } > Candy Login …](http://images.slideplayer.com./26/8724770/slides/slide_17.jpg "Preventing a user from directly accessing a page that requires a login Test for the existence of the session variable Put this code at the top of pages that shouldn t be accessed unless the user has logged in successfully < php session_start(); //attempt to retrieve the session variable value $userid = $_SESSION[ cust_id ]; if(is_null($userid) == true) { // they haven t logged in - send them back to the login page header( Location:candy_login.php ); die(); } > Candy Login …")
18
Moving database connection code to a separate file using an include PHP include command allows inserting contents of a file within the current file <?php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST["cust_username"]; $cust_password = $_REQUEST["cust_password"]; //Add code to include the file that contains the connection commands include("Includes/connectMySQL.php");
![Moving database connection code to a separate file using an include PHP include command allows inserting contents of a file within the current file < php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST[ cust_username ]; $cust_password = $_REQUEST[ cust_password ]; //Add code to include the file that contains the connection commands include( Includes/connectMySQL.php );](http://images.slideplayer.com./26/8724770/slides/slide_18.jpg "Moving database connection code to a separate file using an include PHP include command allows inserting contents of a file within the current file < php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST[ cust_username ]; $cust_password = $_REQUEST[ cust_password ]; //Add code to include the file that contains the connection commands include( Includes/connectMySQL.php );")
19
Moving login verification to separate file Contents of the included file: <?php // add code connecting to the MySQL database mysql_connect("dario.cs.uwec.edu",“STEVENDE","******") or die("Could not connect to MySQL. The reported SQL error is:". mysql_error()); mysql_select_db(“STEVENDE") or die("Could not connect to the database. The reported SQL error is: ". mysql_error()); ?> Includes/connectMySQL.php
20
What is a SQL Injection Attack? A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands Possible when a query is concatenated together from user inputs and tests to see if any rows are retrieved
21
Performing the Attack: Enter a stolen username Enter password as: Search condition sent to DB (always evaluates as true): All user rows returned to application If application checking for 0 vs. more than 0 rows, attacker is in! Foo’ OR ‘1=1 SELECT * FROM users WHERE username = ‘STEVENDE' AND Password = ‘Foo’ OR ‘1=1’
22
Database Dark Humor:
23
Bottom Line: TEST for SQL injection attacks! If your system allows them: Research how to prevent based on your PHP version
Similar presentations
