Feedback 2 under assignments lecture code
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

Feedback #2 (under assignments) Lecture Code: PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on
  • Presentation posted in: General

Feedback #2 (under assignments) Lecture Code:. http://decal.aw-industries.com. Today’s Agenda. Course Feedback Announcements Building a Login System Wrap Up. Announcements. Last Day of Class Today Interest in Presenting Final Projects? FP Deadlines 12/6 Photoshop Layout

Download Presentation

Feedback #2 (under assignments) Lecture Code:

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Feedback #2 (under assignments)Lecture Code:

http://decal.aw-industries.com


Today’s Agenda

  • Course Feedback

  • Announcements

  • Building a Login System

  • Wrap Up


Announcements

  • Last Day of Class Today

  • Interest in Presenting Final Projects?

  • FP Deadlines

    • 12/6 Photoshop Layout

    • 12/13 Entire, Fully-Functional Project


Web Design:

Fall 2010

Mondays 7-9pm

200 Sutardja-Dai Hall

Basic to Advanced Techniques

Building a Login System


Login Systems


Functionality

  • Login

  • Verify Credentials

  • Logout

  • Remember Me

  • Register


Components

  • Front End

    • Form

  • Back End

    • PHP for Authentication

    • Database

login, password

authenticated

session id

encrypted

password

search for user

with given login


Form

Browser

Code


Database

Totally insecure!

What if someone hacks your database?

Can discover all passwords.

Can log in as anyone.


Database Improved

Better, but…

Leaks information.

If someone hacks database:

Can notice Jon and Amber have same password.

CanNOT log in as anyone.

Or can they?


Database Best

Secure!

Assuming random salt and cryptography done correctly.


Database Takeaways

  • Never store plain text password!

    • Compare encrypted passwords instead.

  • Use a random salt to prevent information leaks.


Authenticationverify log in credentials

  • User submits login and password via form

  • PHP retrieves posted information via $_POST[’login'] and $_POST[’password']

  • PHP runs database query:

    • SELECT * from Users WHERE login = $_POST[’login’]

  • Authenticate

    • Encrypt(POST[’password’], $row[‘salt’]) == $row[‘encrypted_password]

HUGE security vulnerability,

Use prepared statements instead

http://php.net/manual/en/pdo.prepared-statements.php


What if we visit a new page?

We would need to ask for credentials again.

What a bother!

Why?

Because HTTP is stateless.

How do we fix this?

Sessions.


What should happen

  • After logging in initially we want to be able to stay logged in until we close the browser or log out.

  • Also want the site to remember who we are.


Cookies to the Rescue?

  • We need some sort of state, memory, between page loads.

  • Could store:

    as cookies

  • And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as.

Issues?

Totally insecure!

Could log in as

who ever you want.


Sessionsserver-side state

  • We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state!

  • Could store:

  • But how do we identify which stored record belongs to a particular client? Need to store an identifier too.


What’s Inside Each?

Cookies

Sessions

Secure?

Nope. Can change our cookie to hijack other sessions.


What’s Should Be Inside Each.

Cookies

Sessions

Secure?

Yes. As long as our Session Key is random and sufficiently long (enough entropy).


Initial Interaction

  • Front End

    • Form

  • Back End

    • PHP for Authentication

    • Database

login, password

authenticated

session key

encrypted

password

search for user

with given login


Subsequent Interaction

  • Browser

  • Back End

    • PHP for Authentication

session id

private web page


Session Hijacking

  • Session key is king. If someone is able to determine the value of your session key they can send the same cookie to the server and have access to your full account.

  • Firesheep


Making Session Hijacking Harder

Also session fixation attacks...

Unique Request Headers

HTTPS


Writing Your OwnAuthentication System

  • Is very hard

  • Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security

  • Look for a reputable plugin

  • Use establish encryption techniques


Web Design:

Fall 2010

Mondays 7-9pm

200 Sutardja-Dai Hall

Basic to Advanced Techniques

Semester Wrap Up


What We’ve Learned

  • HTML

  • CSS

  • jQuery (JavaScript)

  • PHP

  • MySQL


What Now?

  • Forget PHP

  • Want to build Facebook in a month, by yourself?

  • Learn: Ruby on Rails!

    • Still need all our knowledge of HTML, CSS, jQuery, MySQL

    • CS169

Great rails resource:

http://railscasts.com/


Keep in Touch…

  • Let me know what you’re up to…

    • What you’re building…

    • If you need advice…

  • Facebook Group or email


Additional Resources

General Web Design/Development Tutorials: http://www.smashingmagazine.com/

Photoshop Tutorials: http://www.tutorial9.net/

Awesome Web Designs: http://cssremix.com/


Feedback #2 (under assignments)Lecture Code:

http://decal.aw-industries.com


  • Login