How to Create a Secure Login Script in PHP and MySQL - WikiHow
Secure login
-
Upload
worapot-jakkhupan -
Category
Technology
-
view
660 -
download
0
Transcript of Secure login
ICT@PSU 308-364 Advanced Web Programming 1 of 15
Securely Login with Salted Password308-364 Advanced Web Programming
1/2558
Simplicity is the ultimate sophistication
Leonardo da Vinci
ICT@PSU 308-364 Advanced Web Programming 2 of 15
Objectives
• Setup HTTPS server in XAMPP• https://jaswanttak.wordpress.com/2010/04/15/configure-
ssl-on-xampp-and-windows/
• Implement a secure login using Hash passwords• http://webexplorar.com/php-best-secure-user-
registration-with-login-example/
ICT@PSU 308-364 Advanced Web Programming 3 of 15
Secure communication using HTTPS• In order to enable the encryption of your password, you must create an
SSL certificiate (containing your public key) and a server private key.
• XAMPP provides a batch file for creating a new certificate/key with random encryption keys.• Open a command window (Start->Run, type “cmd” and press “OK)
• cd c:\xampp\apache
• makecert
• Import the certificate into the browser
• Edit Apache config for encryption only access to password protected folders.• Make folders accessible with SSL encryption only
• Redirect “http” to “https” for certain folders
ICT@PSU 308-364 Advanced Web Programming 4 of 15
Setup HTTPS in XAMPP
ICT@PSU 308-364 Advanced Web Programming 5 of 15
Steps to setup server.srt• Provide a new pass phrase for your key. You will need to remember this if anything goes wrong
with your certificate or you need to reinstall. Put it somewhere safe
• Verify the pass phrase by retyping it
• Enter a country code. This will typically be ZA
• Enter a province name. This will typically be something like Gauteng or KwaZulu-Natal
• Enter your city name. This can be anything, such as Midrand or Franschhoek
• Enter your full school name. This might be something like Midvale School
• You can leave the Organizational unit blank if you like. However, if you have multiple schools (and hence installtions of ADAM) within a single school entity, you might want to put something like Girls College or Preparatory School here
• The common name is not, your name as suggested, but rather the common name of the website you are securing (the utility that is generating the certificate can also generate personal certificates, hence this prompt). This is likely to be something like adam.midvale.co.za
• Enter in a general contact e-mail address here, typically something like [email protected]
• You can leave the challenge password blank
• You can leave the optional company name blank• Enter the pass phrase that you entered at the start of the process.
ICT@PSU 308-364 Advanced Web Programming 6 of 15
Modify httpd.conf and httpd-ssl.conf• First, we need to inform Apache that the folders you want to
encrypt should use always use encryption• #LoadModule ssl_module modules/mod_ssl.so
• Open http.conf
• Open httpd-ssl.conf
DocumentRoot "C:/xampp/htdocs/secure"
<Directory "C:/xampp/htdocs/secure">
…
SSLRequireSSL</Directory>
DocumentRoot "C:/xampp/htdocs/secure"
ICT@PSU 308-364 Advanced Web Programming 7 of 15
Results
ICT@PSU 308-364 Advanced Web Programming 8 of 15
Redirect “http” to “https” for certain folders
• To accomplish the redirection, we will use mod_rewrite• Open httpd.conf
• #LoadModule rewrite_module modules/mod_rewrite.so
• Now, paste the following text into the bottom of c:\xampp\apache\conf\extra\httpd-xampp.conf
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]</IfModule>
ICT@PSU 308-364 Advanced Web Programming 9 of 15
Secure Password• If you're a web developer, you've probably had to make a user account
system. • The most important aspect of a user account system is how user
passwords are protected.• In traditional secure login• The user creates an account.• Their password is hashed (MD5, SHA1, SHA256) and stored in the database. • When the user attempts to login, the hash of the password they entered is
checked against the hash of their real password retrieved from the database.• If the hashes match, the user is granted access. • Steps 3 and 4 repeat every time someone tries to login to their account.
• The only hashed password is not secure anymore.• The two most common ways of guessing passwords are dictionary
attacks and brute-force attacks.
https://crackstation.net/hashing-security.htm
ICT@PSU 308-364 Advanced Web Programming 10 of 15
Salted Hashing• The best way to protect passwords is to
employ salted password hashing.
• A new salt is randomly generated for each password.
• To Store a Password• Generate a long random salt using a
CSPRNG.• Prepend the salt to the password and hash
it with a standard cryptographic hash function such as SHA256.
• Save both the salt and the hash in the user's database record.
• To Validate a Password• Retrieve the user's salt and hash from the
database.• Prepend the salt to the given password and
hash it using the same hash function.• Compare the hash of the given password
with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect.
http://www.codeotaku.com/journal/2009-10/secure-login-using-ajax/index
ICT@PSU 308-364 Advanced Web Programming 11 of 15
1. Generate Database
CREATE TABLE `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`userEmail` varchar(255) NOT NULL,
`userName` varchar(255) NOT NULL,
`userPassword` varchar(255) NOT NULL,
`enable` int(11) NOT NULL DEFAULT '1',
`regDateTime` datetime NOT NULL,
`salt` varchar(255) NOT NULL,
PRIMARY KEY (`id`,`userEmail`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;
https://jaswanttak.wordpress.com/2010/04/15/configure-ssl-on-xampp-and-windows/
ICT@PSU 308-364 Advanced Web Programming 12 of 15
2. Create forms
<form method="post" action="registration.php">
User Name: <input type="text" name="userName" id="userName"/> <br/>
Password: <input type="password" name="userPassword" id="userPassword"/> <br/>
Email Address: <input type="text" name="userEmail" id="userEmail"/> <br/>
<input type="buttonsubmit" id="user-btn-signup" value="Registration" name="userSubmit"/>
</form>
<form method="post" action="login.php">
User Name: <input type="text" name="userName" id="userName"/> <br/>
Password: <input type="password" name="userPassword" id="userPassword"/> <br/>
<input type="buttonsubmit" id="user-btn-signup" value="Login" name="userSubmit"/>
</form>
https://jaswanttak.wordpress.com/2010/04/15/configure-ssl-on-xampp-and-windows/
ICT@PSU 308-364 Advanced Web Programming 13 of 15
registration.php
function createSalt() {
$string = md5(uniqid(rand(), true));
return substr($string, 0, 5);
}
$salt_reg = createSalt();
$userpasswdHash = hash('sha256', $salt_reg . $userpassword);
Connect to the database
https://jaswanttak.wordpress.com/2010/04/15/configure-ssl-on-xampp-and-windows/
ICT@PSU 308-364 Advanced Web Programming 14 of 15
login.php
$username = mysql_real_escape_string(trim($_POST['userName']));
$userpassword = mysql_real_escape_string(trim($_POST['userPassword']));
$userData = mysql_fetch_array($result$result_check, MYSQL_ASSOC);
$db_salt = trim($userData['salt']);
$hash_entered = hash('sha256', $db_salt . $userpassword);
https://jaswanttak.wordpress.com/2010/04/15/configure-ssl-on-xampp-and-windows/
ICT@PSU 308-364 Advanced Web Programming 15 of 15
Assignment (8%)
• Create HTTPS server in XAMPP and force the website to operate only under HTTPS protocol (4%)
• Create secure registration and login using hash and salt (4%)• You may use Bootstrap to decorate your website
• Don’t forget to note the lesson learned!