User Authentication Methods for PHP Websites

Chapter 6: Authentications

Overview • Getting Username and Password • Verifying Username and Password • Keeping The Verification Result

Getting Username and Password (1) • Two methods to get username and password from browser. • HTTP Authentication with PHP • Taking use of HTML ‘<form>’ tag. • HTTP Authentication with PHP • Taking use of HTTP Header • Headers Sent: • WWW-Authenticate: Basic realm="My Realm” • HTTP/1.0 401 Unauthorized • Example <?php header('WWW-Authenticate: Basic realm="PHP Tranning"'); header("HTTP/1.0 401 Unauthorized"); ?>

Getting Username and Password (2) • To get user’s input • Using the super-global: $_SERVER[‘'PHP_AUTH_USER ’] • The basic HTTP authentication example <?php if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; } else { echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>"; echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>"; } ?>

Getting Username and Password (3) • Digest HTTP Authentication example • When using HTTP Basic Authentication, the username-password pair is effectively transmitted in the clear. • Using digest authentication, your password is never sent across the network in the clear, but is always transmitted as an MD5 digest of the user's password. • This mechanism is alternative authentication method. Hence, We don’t describe more detail about it. • If you are interesting in this method, you can refer the example of PHP manual.

Getting Username and Password (4) • Taking use of html ‘<form>’ tag • Using POST method to get user’s input. • Note: GET is not recommended because it appears in URL. • Example <form method="POST" action="6-2.php"> Username: <input type="text" name="user"> <br /> Password: <input type="password" name="pass"> <br /> <input type="submit" value="Login"> <input type="reset" value="Clear"> <?php echo "<p>Hello {$_POST['user']}.</p>"; echo "<p>You entered {$_POST['pass']}", " as your password.</p>"; ?>

Getting Username and Password (5) • Practicing • Creating a HTML page in order to input username, password, and others data which you want to know, for example, name, birthday, mail address, or simple math question. • Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself. • When it received username, password, and others user’s input, show it on browser http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.html http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.txt http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.php http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.txt

Verifying Username and Password (1) • Verification • After getting the username and password from users, the coming problem is “how to check” the correctness. • How to encrypt the password? We do not mention here. • We only protect service from malformed connections. • Approaches • To record the username/password in • PHP Arrays • Databases • To take use of existing services. • FTP • POP3/IMAP • …etc.

Verifying Username and Password (2) • Verification using PHP array • To record the “username => password” maps in an array • Example $users = array( 'Mary' => 'aa123', 'John' => 'uupx', 'Jerry'=> 'password'); function auth(){ header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; } function check_auth($usr, $pwd){ global $users; if ($users[$usr] == $pwd) return TRUE; else return FALSE; } $un = $_SERVER['PHP_AUTH_USER']; $up = $_SERVER['PHP_AUTH_PW']; if (!isset($un) || !check_auth($un, $up) ) { auth(); } else { echo "<p>Hello {$un}.</p>"; echo "<p>You entered $up as your password.</p>"; }

Verifying Username and Password (3) • Verification using databases • To record the “username => password” maps in a database table. • Example (change the check_auth function in previous example) $link = mysql_connect("localhost", "ystseng", “xxxxxx") or die(mysql_errno($link).": ".mysql_error($link)); mysql_select_db("ystseng_tphp", $link) or die(mysql_errno($link).": ".mysql_error($link)); function check_auth($usr, $pwd){ global $link; $sql = "Select ID From auth Where username='$usr' And password='$pwd'"; if (!($result = mysql_query($sql, $link))) return false; if (mysql_num_rows($result) == 1) return true; else return false; }

Verifying Username and Password (4) • Verification using existing FTP Service • Try to login to an existing FTP site, if FTP site accepts the username and password, we accept it too. • Example (change the check_auth function in previous example) function check_auth($usr, $pwd){ $ftp_server="tphp.cs.nctu.edu.tw"; $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $usr, $pwd); // check connection if ((!$conn_id) || (!$login_result)) $result = FALSE; else $result = TRUE; ftp_close($conn_id); return $result; }

Verifying Username and Password (5) • Verification using existing E-Mail Service • Try to login to an existing Mail Server, check if the username and password accepted by the E-Mail Server (Protocol: POP3, IMAP). • Example (change the check_auth function in previous example) function check_auth($usr, $pwd){ $ret = @(imap_open("{msa.hinet.net:143}", "$usr", "$pwd", OP_HALFOPEN)); $auth = $ret ? true : false; if ($ret) imap_close($ret); return $auth; }

Verifying Username and Password (6) http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.html http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.txt http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.php http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.txt • Practicing • Creating a HTML page in order to input username, password, and others data which you want to know, for example, name, birthday, mail address, or simple math question. • Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself. • When authentication information is correct, it will show “hello message” and visited counter. This visited counter can store in cookie (remember to set expire time) • Hits: • You can use array variable in your PHP code or database to store username and password which be compared with user’s input.

Keeping The Verification Result (1) • After authentication, we have to keep username and password that user types. • While using the “HTTP Authentication”, browsers will send the user/pass in header before closed. • While using “HTML <form> tag”, we have to keep data ourselves. • Methods • Using <intput type=hidden> while jumping between pages. • Not suitable, easily loss, and username/password will appear in HTML. • cookie and session mentioned in chapter 4. • Difference • cookie stores in client side, session in server side. • session ends with browser closed, cookie can be kept for longer time.

Keeping The Verification Result (2) • Examples • We design a function to check whether login successfully • If no, redirect browsing page to login page • Login procedure will check username and password • When it login successfully, it will redirect again to original page. • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_login.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_1.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_2.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_3.php • http://tphp.cs.nctu.edu.tw/tphp/ex6-3_logout.php

Keeping The Verification Result (3) • ex6-3_inc.php • library function. It will be include all PHP pages. <?php $users = array("peter" => "1234", "mary" => "abcd"); function check_auth() { global $users; if ($_COOKIE['PASS'] === null || $_COOKIE['USER'] === null) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } if (md5($users[$_COOKIE['USER']]) != $_COOKIE['PASS']) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } } ?>

Keeping The Verification Result (4) • ex6-3_login.php • Login PHP page. … … <form action="ex6-3_auth.php" method="post"> <input type="hidden" name="URL" value="<?=$_GET['URL'] ?>"> Username: <input type="text" name="USER"><br> Password: <input type="password" name="PASS"><br> <input type="submit" value="Login"> </form> … …

Keeping The Verification Result (5) • ex6-3_auth.php • Login procedure PHP page. <?php require_once("ex6-3_inc.php"); if ($users[$_POST['USER']] == $_POST['PASS']) { setcookie("USER", $_POST['USER'], time() + 3600); setcookie("PASS", md5($_POST['PASS']), time() + 3600); if ($_POST['URL']) { /* redirect to original page */ header("Location: http://$_SERVER[SERVER_NAME]$_POST[URL]"); } else { header("Location: ex6-3_1.php"); } } else { echo "Wrong username or password"; } ?>

Keeping The Verification Result (6) • ex6-3_1.php • Data PHP page. • ex6-3_2.php • Data PHP page. <?php require_once("ex6-3_inc.php"); check_auth(); echo "Hello, $_COOKIE[USER], this file is ex6-3_1.php"; ?> <?php require_once("ex6-3_inc.php"); check_auth(); echo "hay!, $_COOKIE[USER], this file is ex6-3_2.php"; ?>

Q&A

User Authentication Methods for PHP Websites

User Authentication Methods for PHP Websites

Presentation Transcript

Chapter 8

Night

CD-ROM Chapter 15

Regulations for the Lodges Chapter 51-100 Masonic Code of Wisconsin

Course Contents

Chapter 6 Sexual Reproduction In Man

English Review for Final

Chapter 9

Business Correspondences

Physics 218 Lecture 15

Chapter 6

Welcome

English Review for Final

Overview

IS/CS 698 Web Services and Authentications Digital Identification

Chapter 10 P h o t o s y n t h e s i s

CD-ROM Chapter 14