Authentication and Security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

full_path is the location of the .htpasswd file. This should be outside your normal directories. PowerPoint PPT Presentation


  • 36 Views
  • Uploaded on
  • Presentation posted in: General

Download Presentation

full_path is the location of the .htpasswd file. This should be outside your normal directories.

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Full path is the location of the htpasswd file this should be outside your normal directories

Authentication and SecurityNote: What we discuss in class today covers moderate to low security. Before you involve yourself in a project that requires high security – credit card info, social security numbers etc - take a class on database security.It’s becoming more common for sites to keep records of the transactions while offloading payment etc to sites like Paypal , which handle the secure side of the transaction.This approach minimizes risk and cost. That said, what we’re covering today will let you control user access.


Full path is the location of the htpasswd file this should be outside your normal directories

Authentication and SecurityHTTP authenticationUsing PHP scripts to manage user authentication and authorizationUsing PHP scripts to authenticate users against a databaseBuilding session based web database applications to authenticate usersSSL – Secure Sockets Layer


Full path is the location of the htpasswd file this should be outside your normal directories

HTTP authentication HTTP authentication allows you to password protect a directoryThere are 3 steps1- Create a access file, which describes which users can access a site.2- Create a password file, which lists users names and passwords allowed.3- upload files


Full path is the location of the htpasswd file this should be outside your normal directories

HTTP authentication 1- Create an access file, which describes which users can access a site.Open the text editor and save a new file called “.htaccess”---Basic FormatAuthUserFile /full_path/.htpasswdAuthGroupFile /dev/nullAuthName “Page Name"AuthType basicrequire user UserName ---ExampleAuthUserFile /home/denning/www/ezcontents1_4x/contentdocument/intro_to_db/cl_8/http_pass/.htpasswdAuthGroupFile /dev/nullAuthName "Super Secret Page"AuthType basicrequire user valid-user

full_path is the location of the .htpasswd file. This should be outside your normal directories.

UserName is the name of users allowed to access the pages. Use valid-user if more than one person can access the directory. Use a specific username, in this case Test, if more only one person can access the directory.

There is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").


Full path is the location of the htpasswd file this should be outside your normal directories

HTTP authentication 2- Create a password file, which lists users names and passwords allowed.Open the text editor and save a new file called “.htpasswd”Decide on user name and passwordname: Testpassword: ClassGenerate the password, using a tool that encrypts the password(see link form syllabus to http://www.euronet.nl/~arnow/htpasswd/ )---Basic FormatUserName:Password---ExampleTest:180TuOLtbRWCU

It's crucial that you press enter after each line (the last line should be an empty one, not a line with a password entry in it) and that you upload the file as 'text' or 'ascii'.

Also, keep in mind that these lines are case-sensitive; you should enter a capital as a capital and a lower-case character as a lower-case character.


Full path is the location of the htpasswd file this should be outside your normal directories

HTTP authentication 3- upload files.htpasswdshould go to a secure location on your website.htaccessshould go in the directory you want to protectNOTE:the “full path” in .htaccess needs to match the location of .htpasswd


Full path is the location of the htpasswd file this should be outside your normal directories

HTTP authentication Multiple users1- modify .htpasswduser1 :NgFQ1vnnW/tJk user2 :mWaquohh.OY3w user3 :EMt8amgnyuYD2 Using groups1- create a file called “.htgroup” (similar to .htpasswd)my-users:user1 user2 user3modify the .htaccess file in the directory to look like this: AuthUserFile /home/john/.htpasswdAuthGroupFile /home/john/.htgroupAuthName “Johns page” AuthType Basic require group my-users


Full path is the location of the htpasswd file this should be outside your normal directories

Using PHP scripts to manage user authentication and authorization PHP can access the name and password variables submitted through HTTP authentication<?print("<html><head> <title></title></head><body>");print(“Hi this is the index<br>");print("You are: $PHP_AUTH_USER <br>");print("using password: $PHP_AUTH_PW <br>");print("</body></html>");?>


Using php scripts to authenticate users against a database 1 creating the table

Using PHP scripts to authenticate users against a database1- Creating the table

User name must be unique


Using php scripts to authenticate users against a database 1 make password a key 2 result

Using PHP scripts to authenticate users against a database 1- Make “password” a key 2- Result


Full path is the location of the htpasswd file this should be outside your normal directories

Protecting password in the database 1- Built in PHP functionscrypt(PHP 3, PHP 4 )crypt -- One-way string encryption (hashing)Descriptionstring crypt ( string str [, string salt])crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system. Arguments are a string to be encrypted and an optional salt string to base the encryption on. See the Unix man page for your crypt function for more information. If the salt argument is not provided, one will be randomly generated by PHP.


Full path is the location of the htpasswd file this should be outside your normal directories

Protecting password in the database 1- Logical FlowTesting if the user is logged in<?if(!isset($u_username)||!isset($u_username)){header("location: login.php");exit();}else{ print("<html><head><title></title></head><body>"); print("main page of site - authenticated user only"); print("</body></html>");}?>


Full path is the location of the htpasswd file this should be outside your normal directories

Protecting password in the database 1- Logical FlowTesting if the user is logged in<?include "../../../../../../itb_cl8_info.php";include "login_functions.php";print("<html><head><title></title></head><body>");if($action=="register"){register_new_user($u_username, $u_password); //say hello print ("Welcome to the site");}elseif($action=="new_user"){register_form();}elseif($action=="login"){ $valid_user=login_user($u_username, $u_password);if(!$valid_user){ // show login with error $error="Sorry, that user name and password aren't found"; login_form($error);}else{ //say hello print ("Hi - we're glad you came back");}}else{ $error="";login_form($error);}print("</body></html>");?>


Full path is the location of the htpasswd file this should be outside your normal directories

Protecting password in the database 1- Creating a new userfunction register_form(){print("<form method=\"POST\" action=\"\"><b>Please register</b><br>Name:<input type=\"text\" name=\"u_username\" value=\"\"><br>Password: <input type=\"text\" name=\"u_password\" value=\"\"><br><input type=\"hidden\" name=\"action\" value=\"register\"><input type=\"submit\"></form>");}


Full path is the location of the htpasswd file this should be outside your normal directories

Protecting password in the database 1- Creating a new user 2function register_new_user($u_username, $u_password){GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable;// CRYPT OUR PASSWORD$salt=substr($u_username, 0, 2);$crypted_password=crypt($u_password, $salt);/// INSERT RECORD // open connection to host$link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed");// connect to specific databasemysql_select_db($dbName)OR die("error 2 - failure to connect to DB");// formulate our question$query="INSERT INTO $usersTable (user_name, password) values ('$u_username', '$crypted_password')";// ask the question$result =mysql_query($query)OR die("error 3 - query failed");}


Full path is the location of the htpasswd file this should be outside your normal directories

Protecting password in the database 1- Authenticating an Existing Userfunction login_form($error){print("<form method=\"POST\" action=\"\"><b>Please Login</b><br><i>$error</i><br>Name:<input type=\"text\" name=\"u_username\" value=\"\"><br>Password: <input type=\"text\" name=\"u_password\" value=\"\"><br><input type=\"hidden\" name=\"action\" value=\"login\"><input type=\"submit\"></form><br><a href=\"login.php?action=new_user\">New Users </a>register here");}


Full path is the location of the htpasswd file this should be outside your normal directories

Protecting password in the database 1- Authenticating an Existing User 2function login_user($u_username, $u_password){GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable;// make sure username and password are filled inif(!isset($u_username)||!isset($u_username)){return false;}// recreate the encrypted password stored on the database$salt=substr($u_username, 0, 2);$crypted_password=crypt($u_password, $salt);// see if we can find the user in the database// open connection to host$link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed");// connect to specific databasemysql_select_db($dbName)OR die("error 2 - failure to connect to DB");// formulate our question$query="SELECT password FROM $usersTable WHERE user_name='$u_username' AND password='$crypted_password'";// ask the question$result =mysql_query($query)OR die("error 3 - query failed");// if there's exactly one row we've found the userif(mysql_num_rows($result) !=1){return false;}else{return true;}}


  • Login