1 / 25

Login forms

Login forms. http://www.flickr.com/photos/torkildr/3462607995/. Key points for login. User wants to access some webpage X But we only want logged in users to access X Server checks session & sees user isn't logged in So the server directs the user to a login form

boshears
Download Presentation

Login forms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Login forms http://www.flickr.com/photos/torkildr/3462607995/

  2. Key points for login • User wants to access some webpage X • But we only want logged in users to access X • Server checks session & sees user isn't logged in • So the server directs the user to a login form • The user submits a username and password • Server verifies these are legitimate • Server updates session to show user is logged in • Server allows the user to get to X

  3. Basic login flow Database Browser Page X Login page Give me X Give me X Click link Check session Username & password Ok, give me the login form Sry, log in, bro Ok, you can go to X now Enter info Update session Check if it's legit Here it is Here it is

  4. Notice • Page X is defending itself • It has to check whether the user is logged in • It does this by looking in the session • Is $_SESSION["uid"] set and not empty? • If the user isn't logged in, then redirect to login • Page X has to pass along a note to the login form • So that the login form knows to redirect user back to X after the user enters valid username and password

  5. Login form requirements The login form must... • Accept a URL where the user will be sent after logging in (i.e., page X) • Gather credentials (username and password) • Check that the credentials are valid • Record some sort of information indicating that the user is now logged in • Redirect the user to the desired spot (X)

  6. Different login options • Use the OSU Central Authentication Service • Create a custom login form of your own • Use another 3rd party authentication service

  7. OSU Central Authentication Service (CAS) Documentation: http://onid.oregonstate.edu/docs/technical/cas.shtml • If user's session indicates not logged in { • Compute current URL (X) • Redirect user to CAS; pass current URL as param. } • When CAS sends user back to X { • Retrieve the "ticket" that CAS sends back • Check what ONID account goes with that ticket • Mark the user's session as logged in }

  8. CAS login flow CAS/ONID Database Browser Page X CAS Give me X?ticket=xyz Give me X Click link Check session Ok, give me the login form Username & password Ok, you can go to X?ticket=xyznow Sry, log in, bro Create a ticket Enter info Verify ticket Check if it's legit Update session Here it is Here it is

  9. Let's walk through a site skeleton Browse at http://web.engr.oregonstate.edu/~scaffidc/courses/cs290/skeleton3 Download from http://web.engr.oregonstate.edu/~scaffidc/courses/cs290/lectures/site_skeleton3.zip Good about this skeleton: Simple site structure, has database, authenticates with OSU CAS Bad about this skeleton: Still same page title on every page; still needs input validation

  10. About that site skeleton (3) • All the pages include _header.php • This PHP provides a checkAuth() function • Returns the user's ONID username • Either by finding it in the session (if logged in) • OR by retrieving the ONID username with a ticket • OR by redirecting the user to log in, which will generate a ticket • The add_course.php page is defending itself • So "Page X" is add_course.php in this example

  11. About the key lines of code • Remember to start the session… must be the very 1st line session_start(); • Checking if the user is logged in if (isset($_SESSION["onidid"]) && $_SESSION["onidid"] != "") • Getting the current URL "http://". $_SERVER["SERVER_NAME"].$_SERVER["SCRIPT_NAME"] • Redirecting to the CAS login form $url = "https://login.oregonstate.edu/cas/login?service=".$pageURL; echo "<script>location.replace('" . $url . "');</script>"; • Server-to-server connection (to check ticket when user comes back from login) $html = file_get_contents($url); • Grabbing substring between <cas:user> and </cas:user> $pattern = '/\\<cas\\:user\\>([a-zA-Z0-9]+)\\<\\/cas\\:user\\>/'; preg_match($pattern, $html, $matches); if ($matches && count($matches) > 1) $onidid = $matches[1];

  12. Caveats about using CAS • If you use CAS, then • OSU could pretend to be a certain user • They control the login form • They can make it say whatever they want • So it could say "joesmith" even if it's not the real user • Nobody can log into your site if CAS crashes • Your site either has to be running on another OSU server, or you need to establish an agreement with the CAS admins

  13. Next option: Custom login form • More complicated in some ways than CAS • You have to create a login form • And you have to create a registration form • You also handle storage & lookup of credentials • This means securely storing passwords • Hashing is mandatory (we'll cover in a moment) • Now init.php also creates a "users" table

  14. Login flow with your own form Your Database Browser Page X Your login form Give me X Give me X Click link Check session Ok, give me the login form Username & password Ok, you can go to Xnow Sry, log in, bro Update session Enter info Check if it's legit Check session Here it is Here it is

  15. Let's walk through a site skeleton Browse at http://web.engr.oregonstate.edu/~scaffidc/courses/cs290/skeleton4 Download from http://web.engr.oregonstate.edu/~scaffidc/courses/cs290/lectures/site_skeleton4.zip Good about this skeleton: Simple site structure, has database that stores user credentials Bad about this skeleton: Still same page title on every page; still needs input validation

  16. About that site skeleton (4) • All the pages include _header.php • This PHP provides a checkAuth() function • Returns the user's uid • Either by finding it in the session (if logged in) • OR by redirecting user to login.php • This uid is a primary key in our own "users" table • The add_course.php page still defends itself • So "Page X" is add_course.php in this example • And now we also have an add_user.php • So that the user can register • This page does NOT require user to log in first

  17. About the key lines of code forsetting up a table, storing passwords • Creating a table with auto-assigned primary key to store our users create table users(uid integer NOT NULL AUTO_INCREMENT, username varchar(64), password varchar(512), primary key(uid) ) • Checking if username is taken $query = $mysqli->prepare("select uid from users where username = ?"); $query->bind_param("s",$username); if ($query->execute()) { $query->bind_result($uid); if ($query->fetch()) /* then username is already taken… display an error */ … • Hashing a password before storing it in the database $hashedPassword = base64_encode(hash('sha256',$password . $username)); if ($stmt = $mysqli->prepare("insert into users(username,password) values(?,?)")) { $stmt->bind_param("ss", $username, $hashedPassword); $stmt->execute(); …

  18. About the key lines of code forredirecting to login & authenticating • Remember to start the session… must be the very 1st line session_start(); • Checking if the user is logged in if (isset($_SESSION["uid"]) && $_SESSION["uid"] != "") • Getting the current URL "http://". $_SERVER["SERVER_NAME"].$_SERVER["SCRIPT_NAME"] • Redirecting to our own login form $currentUrl = currentUrl(); $urlOfLogin = "login.php?sendBackTo=".rawurlencode($currentUrl)."&cb=".microtime(true); echo "<script>location.replace('$urlOfLogin');</script>"; • Retrieving the uid for a given username and password $hashedPassword = base64_encode(hash('sha256',$password . $username)); $query = $mysqli->prepare("select uid from users where username = ? and password = ?"); $query->bind_param("ss",$username, $hashedPassword); if ($query->execute()) { $query->bind_result($uid); while($query->fetch()) $_SESSION["uid"] = $uid; …

  19. How does hashing work? • Hashing basically trashes data in a reproducible, mostly unique, and irreversible way • Reproducible: The hash of "Big Bird" is garbage, but it's always the same garbage. • Mostly unique: The hash of "Oscar" is also garbage, but it's different garbage than the hash of "Big Bird" • Irreversible: Somebody who sees a certain hash is essentially unable to tell if it came from "Big Bird" or from "Oscar"

  20. Consequences of hashing • Irreversibility • Even if somebody steals the database, it's impossible to recover the passwords • Uniqueness • If the password the server is expecting is abc, then entering def won't generate the same hash • Meaning people can't log in with the wrong password • Reproducibility • If a certain password is used to create an account, then the same password can be used to log in.

  21. Other 3rd party services: Generally fairly similar to CAS • If user's session indicates not logged in { • Compute current URL (X) • Redirect user to 3rd party; pass current URL } • When 3rd party sends user back to X { • Retrieve a token of some sort (like a "ticket") • Check what account goes with that token • Mark the user's session as logged in }

  22. Generic 3rd party login flow User database Browser Page X 3rd party Give me X (with token) Give me X Click link Check session Ok, give me the login form Username & password Ok, you can go to Xnow (with token) Sry, log in, bro Create token Enter info Verify token Check if it's legit Update session Here it is Here it is

  23. Caveats about using 3rd party • If you use 3rd party, then • 3rd party could pretend to be a certain user • They control the login form • They can make it say whatever they want • So it could say "joesmith" even if it's not the real user • Nobody can log into your site if 3rd party crashes • Users might get confused about why they're being asked to log into 3rd party site"Why is this website asking me for my Google password? It must be a scam!"

  24. Additional notes about 3rd party • Some 3rd party services require you to write JavaScript and also server-side code (e.g., Google) • The login form (or a button for it) appears inside your own web page • You have to write JavaScript that gets called when the user has logged in (i.e., the callback is to a JS function, rather than a redirect) • In your JavaScript, you get your hands on a token id • And then your JavaScript sends this token id to your server • Then you also have to write server-side code (PHP) to do a server-to-server connection to check the token • Analogous to checking a CAS ticket

  25. Tradeoffs

More Related