Feedback 2 under assignments lecture code
Download
1 / 30

Feedback #2 (under assignments) Lecture Code: - PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on

Feedback #2 (under assignments) Lecture Code:. http://decal.aw-industries.com. Today’s Agenda. Course Feedback Announcements Building a Login System Wrap Up. Announcements. Last Day of Class Today Interest in Presenting Final Projects? FP Deadlines 12/6 Photoshop Layout

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Feedback #2 (under assignments) Lecture Code:' - ganit


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Feedback 2 under assignments lecture code
Feedback #2 (under assignments)Lecture Code:

http://decal.aw-industries.com


Today s agenda
Today’s Agenda

  • Course Feedback

  • Announcements

  • Building a Login System

  • Wrap Up


Announcements
Announcements

  • Last Day of Class Today

  • Interest in Presenting Final Projects?

  • FP Deadlines

    • 12/6 Photoshop Layout

    • 12/13 Entire, Fully-Functional Project


Web design

Web Design:

Fall 2010

Mondays 7-9pm

200 Sutardja-Dai Hall

Basic to Advanced Techniques

Building a Login System



Functionality
Functionality

  • Login

  • Verify Credentials

  • Logout

  • Remember Me

  • Register


Components
Components

  • Front End

    • Form

  • Back End

    • PHP for Authentication

    • Database

login, password

authenticated

session id

encrypted

password

search for user

with given login


Form

Browser

Code


Database
Database

Totally insecure!

What if someone hacks your database?

Can discover all passwords.

Can log in as anyone.


Database improved
Database Improved

Better, but…

Leaks information.

If someone hacks database:

Can notice Jon and Amber have same password.

CanNOT log in as anyone.

Or can they?


Database best
Database Best

Secure!

Assuming random salt and cryptography done correctly.


Database takeaways
Database Takeaways

  • Never store plain text password!

    • Compare encrypted passwords instead.

  • Use a random salt to prevent information leaks.


Authentication verify log in credentials
Authenticationverify log in credentials

  • User submits login and password via form

  • PHP retrieves posted information via $_POST[’login'] and $_POST[’password']

  • PHP runs database query:

    • SELECT * from Users WHERE login = $_POST[’login’]

  • Authenticate

    • Encrypt(POST[’password’], $row[‘salt’]) == $row[‘encrypted_password]

HUGE security vulnerability,

Use prepared statements instead

http://php.net/manual/en/pdo.prepared-statements.php


What if we visit a new page
What if we visit a new page?

We would need to ask for credentials again.

What a bother!

Why?

Because HTTP is stateless.

How do we fix this?

Sessions.


What should happen
What should happen

  • After logging in initially we want to be able to stay logged in until we close the browser or log out.

  • Also want the site to remember who we are.


Cookies to the rescue
Cookies to the Rescue?

  • We need some sort of state, memory, between page loads.

  • Could store:

    as cookies

  • And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as.

Issues?

Totally insecure!

Could log in as

who ever you want.


Sessions server side state
Sessionsserver-side state

  • We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state!

  • Could store:

  • But how do we identify which stored record belongs to a particular client? Need to store an identifier too.


What s inside each
What’s Inside Each?

Cookies

Sessions

Secure?

Nope. Can change our cookie to hijack other sessions.


What s should be inside each
What’s Should Be Inside Each.

Cookies

Sessions

Secure?

Yes. As long as our Session Key is random and sufficiently long (enough entropy).


Initial interaction
Initial Interaction

  • Front End

    • Form

  • Back End

    • PHP for Authentication

    • Database

login, password

authenticated

session key

encrypted

password

search for user

with given login


Subsequent interaction
Subsequent Interaction

  • Browser

  • Back End

    • PHP for Authentication

session id

private web page


Session hijacking
Session Hijacking

  • Session key is king. If someone is able to determine the value of your session key they can send the same cookie to the server and have access to your full account.

  • Firesheep


Making session hijacking harder
Making Session Hijacking Harder

Also session fixation attacks...

Unique Request Headers

HTTPS


Writing your own authentication system
Writing Your OwnAuthentication System

  • Is very hard

  • Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security

  • Look for a reputable plugin

  • Use establish encryption techniques


Web design1

Web Design:

Fall 2010

Mondays 7-9pm

200 Sutardja-Dai Hall

Basic to Advanced Techniques

Semester Wrap Up


What we ve learned
What We’ve Learned

  • HTML

  • CSS

  • jQuery (JavaScript)

  • PHP

  • MySQL


What now
What Now?

  • Forget PHP

  • Want to build Facebook in a month, by yourself?

  • Learn: Ruby on Rails!

    • Still need all our knowledge of HTML, CSS, jQuery, MySQL

    • CS169

Great rails resource:

http://railscasts.com/


Keep in touch
Keep in Touch…

  • Let me know what you’re up to…

    • What you’re building…

    • If you need advice…

  • Facebook Group or email


Additional resources
Additional Resources

General Web Design/Development Tutorials: http://www.smashingmagazine.com/

Photoshop Tutorials: http://www.tutorial9.net/

Awesome Web Designs: http://cssremix.com/


Feedback 2 under assignments lecture code1
Feedback #2 (under assignments)Lecture Code:

http://decal.aw-industries.com


ad