Feedback 2 under assignments lecture code
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

Feedback #2 (under assignments) Lecture Code: PowerPoint PPT Presentation


  • 59 Views
  • Uploaded on
  • Presentation posted in: General

Feedback #2 (under assignments) Lecture Code:. http://decal.aw-industries.com. Today’s Agenda. Course Feedback Announcements Building a Login System Wrap Up. Announcements. Last Day of Class Today Interest in Presenting Final Projects? FP Deadlines 12/6 Photoshop Layout

Download Presentation

Feedback #2 (under assignments) Lecture Code:

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Feedback 2 under assignments lecture code

Feedback #2 (under assignments)Lecture Code:

http://decal.aw-industries.com


Today s agenda

Today’s Agenda

  • Course Feedback

  • Announcements

  • Building a Login System

  • Wrap Up


Announcements

Announcements

  • Last Day of Class Today

  • Interest in Presenting Final Projects?

  • FP Deadlines

    • 12/6 Photoshop Layout

    • 12/13 Entire, Fully-Functional Project


Web design

Web Design:

Fall 2010

Mondays 7-9pm

200 Sutardja-Dai Hall

Basic to Advanced Techniques

Building a Login System


Login systems

Login Systems


Functionality

Functionality

  • Login

  • Verify Credentials

  • Logout

  • Remember Me

  • Register


Components

Components

  • Front End

    • Form

  • Back End

    • PHP for Authentication

    • Database

login, password

authenticated

session id

encrypted

password

search for user

with given login


Feedback 2 under assignments lecture code

Form

Browser

Code


Database

Database

Totally insecure!

What if someone hacks your database?

Can discover all passwords.

Can log in as anyone.


Database improved

Database Improved

Better, but…

Leaks information.

If someone hacks database:

Can notice Jon and Amber have same password.

CanNOT log in as anyone.

Or can they?


Database best

Database Best

Secure!

Assuming random salt and cryptography done correctly.


Database takeaways

Database Takeaways

  • Never store plain text password!

    • Compare encrypted passwords instead.

  • Use a random salt to prevent information leaks.


Authentication verify log in credentials

Authenticationverify log in credentials

  • User submits login and password via form

  • PHP retrieves posted information via $_POST[’login'] and $_POST[’password']

  • PHP runs database query:

    • SELECT * from Users WHERE login = $_POST[’login’]

  • Authenticate

    • Encrypt(POST[’password’], $row[‘salt’]) == $row[‘encrypted_password]

HUGE security vulnerability,

Use prepared statements instead

http://php.net/manual/en/pdo.prepared-statements.php


What if we visit a new page

What if we visit a new page?

We would need to ask for credentials again.

What a bother!

Why?

Because HTTP is stateless.

How do we fix this?

Sessions.


What should happen

What should happen

  • After logging in initially we want to be able to stay logged in until we close the browser or log out.

  • Also want the site to remember who we are.


Cookies to the rescue

Cookies to the Rescue?

  • We need some sort of state, memory, between page loads.

  • Could store:

    as cookies

  • And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as.

Issues?

Totally insecure!

Could log in as

who ever you want.


Sessions server side state

Sessionsserver-side state

  • We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state!

  • Could store:

  • But how do we identify which stored record belongs to a particular client? Need to store an identifier too.


What s inside each

What’s Inside Each?

Cookies

Sessions

Secure?

Nope. Can change our cookie to hijack other sessions.


What s should be inside each

What’s Should Be Inside Each.

Cookies

Sessions

Secure?

Yes. As long as our Session Key is random and sufficiently long (enough entropy).


Initial interaction

Initial Interaction

  • Front End

    • Form

  • Back End

    • PHP for Authentication

    • Database

login, password

authenticated

session key

encrypted

password

search for user

with given login


Subsequent interaction

Subsequent Interaction

  • Browser

  • Back End

    • PHP for Authentication

session id

private web page


Session hijacking

Session Hijacking

  • Session key is king. If someone is able to determine the value of your session key they can send the same cookie to the server and have access to your full account.

  • Firesheep


Making session hijacking harder

Making Session Hijacking Harder

Also session fixation attacks...

Unique Request Headers

HTTPS


Writing your own authentication system

Writing Your OwnAuthentication System

  • Is very hard

  • Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security

  • Look for a reputable plugin

  • Use establish encryption techniques


Web design1

Web Design:

Fall 2010

Mondays 7-9pm

200 Sutardja-Dai Hall

Basic to Advanced Techniques

Semester Wrap Up


What we ve learned

What We’ve Learned

  • HTML

  • CSS

  • jQuery (JavaScript)

  • PHP

  • MySQL


What now

What Now?

  • Forget PHP

  • Want to build Facebook in a month, by yourself?

  • Learn: Ruby on Rails!

    • Still need all our knowledge of HTML, CSS, jQuery, MySQL

    • CS169

Great rails resource:

http://railscasts.com/


Keep in touch

Keep in Touch…

  • Let me know what you’re up to…

    • What you’re building…

    • If you need advice…

  • Facebook Group or email


Additional resources

Additional Resources

General Web Design/Development Tutorials: http://www.smashingmagazine.com/

Photoshop Tutorials: http://www.tutorial9.net/

Awesome Web Designs: http://cssremix.com/


Feedback 2 under assignments lecture code1

Feedback #2 (under assignments)Lecture Code:

http://decal.aw-industries.com


  • Login