Feedback #2 (under assignments) Lecture Code:
description
Transcript of Feedback #2 (under assignments) Lecture Code:
Feedback #2 (under assignments)Lecture Code:
http://decal.aw-industries.com
Today’s AgendaCourse Feedback
Announcements
Building a Login System
Wrap Up
AnnouncementsLast Day of Class Today
Interest in Presenting Final Projects?
FP Deadlines12/6 Photoshop Layout12/13 Entire, Fully-Functional Project
Web Design:Basic to Advanced Techniques
Fall 2010Mondays 7-9pm
200 Sutardja-Dai Hall
Building a Login System
Login Systems
FunctionalityLogin
Verify Credentials
Logout
Remember Me
Register
Components
Front EndForm
Back EndPHP for
Authentication
Database
login, password
search for userwith given login
encryptedpassword
authenticatedsession id
Form
Browser
Code
Databaselogin password
alex iliketowork
jon peaches
amber peaches
michael databasesarecool
Totally insecure!
What if someone hacks your database?
Can discover all passwords.Can log in as anyone.
Database ImprovedBetter, but…
Leaks information.
login encryptedpassword
alex djfxsfr2NIMmu2W0
jon xGBfwjvdK3A4VgjY
amber xGBfwjvdK3A4VgjY
michael 3FI1IiNJZ6QjAkdQ
If someone hacks database:
Or can they?
Can notice Jon and Amber have same password.CanNOT log in as anyone.
Database BestSecure!
Assuming random salt and cryptography done correctly.
login encryptedpassword
salt
alex djfxsfr2NIMmu2W0 B1USHXMZ3JgkOTDW
jon xGBfwjvdK3A4VgjY TCRJRrLR0MpdcgtX
amber xKomGtFIOELCO3cc UySPSuyJPQoIfgE5
michael 3FI1IiNJZ6QjAkdQ zj1NfuTT7uJxpCaV
Database TakeawaysNever store plain text password!
Compare encrypted passwords instead.
Use a random salt to prevent information leaks.
Authenticationverify log in credentials
1. User submits login and password via form
2. PHP retrieves posted information via $_POST[’login'] and $_POST[’password']
3. PHP runs database query: SELECT * from Users WHERE login = $_POST[’login’]
4. Authenticate Encrypt(POST[’password’], $row[‘salt’]) ==
$row[‘encrypted_password]
HUGE security vulnerability,Use prepared statements instead
http://php.net/manual/en/pdo.prepared-statements.php
What if we visit a new page?
We would need to ask for credentials again.What a bother!
Why?Because HTTP is stateless.
How do we fix this?Sessions.
What should happenAfter logging in initially we want to be able to stay logged
in until we close the browser or log out.
Also want the site to remember who we are.
We need some sort of state, memory, between page loads.
Could store:
as cookies
And send cookies every time we load a page. Server could then check that we’re logged in and know who we are logged in as.
Cookies to the Rescue?
User ID 599
Logged In 1
Issues?
Totally insecure!
Could log in aswho ever you want.
We need state, but we can’t store sensitive data on the client side. Thankfully there is server-side state!
Could store:
But how do we identify which stored record belongs to a particular client? Need to store an identifier too.
Sessionsserver-side state
User ID 599
Session ID User ID
1 599
2 458
What’s Inside Each?Cookies Sessions
Session ID User ID
1 599
2 458
Session ID 1
Secure?
Nope. Can change our cookie to hijack other sessions.
What’s Should Be Inside Each.Cookies Sessions
Session Key User ID
XGnCmUE2dV3sTnA6 599
KHmA2XiScwgPy70w 458
Session Key XGnCmUE2dV3sTnA6
Secure?
Yes. As long as our Session Key is random and sufficiently long (enough entropy).
Initial Interaction
Front EndForm
Back EndPHP for
Authentication
Database
login, password
search for userwith given login
encryptedpassword
authenticatedsession key
Subsequent Interaction
Browser
Back EndPHP for
Authentication
session id
private web page
Session Key XGnCmUE2dV3sTnA6
Session Key User ID
XGnCmUE2dV3sTnA6 599
KHmA2XiScwgPy70w 458
Session HijackingSession key is king. If someone is able to determine the
value of your session key they can send the same cookie to the server and have access to your full account.
Firesheep
Making Session Hijacking HarderUnique Request Headers
HTTPS
Also session fixation attacks...
Writing Your OwnAuthentication System
Is very hard
Lots of things have to go right to make it secure and one thing wrong can jeopardize the entire system’s security
Look for a reputable plugin
Use establish encryption techniques
Web Design:Basic to Advanced Techniques
Fall 2010Mondays 7-9pm
200 Sutardja-Dai Hall
Semester Wrap Up
What We’ve LearnedHTML
CSS
jQuery (JavaScript)
PHP
MySQL
What Now?Forget PHP
Want to build Facebook in a month, by yourself?
Learn: Ruby on Rails!Still need all our knowledge
of HTML, CSS, jQuery, MySQLCS169
Great rails resource:http://railscasts.com/
Keep in Touch…Let me know what you’re up to…
What you’re building… If you need advice…
Facebook Group or email
Additional ResourcesGeneral Web Design/Development Tutorials:
http://www.smashingmagazine.com/
Photoshop Tutorials: http://www.tutorial9.net/
Awesome Web Designs: http://cssremix.com/
Feedback #2 (under assignments)Lecture Code:
http://decal.aw-industries.com