PHP 5

1
PHP 5

• SI 539
• Fall 2004
• Prof. Sandra Bartlett

2
New Stuff for Today

• Authentication
• Sessions

3
User Authentication

• Have login name and password stored somewhere
• Get login and password from user
• Check if login and password from user match
  stored login name and password
• If a match is found do something (e.g., enter
  site, show data, etc.)
• Else do something else (e.g., let user try
  again, refuse site entry, etc.)

4
Make a password table

• Login to projects machine
• Login to database
• Make password table
• CREATE TABLE password
• ( name VARCHAR (20), passwd VARCHAR (20),
  ID INT NOT NULL AUTO_INCREMENT, PRIMARY KEY
  (ID)
• )

5
Or

• add login and password columns to your table
• (which you do depends on the structure of your
  database)

6
Password Table Security

• Encrypt all passwords
• Choose a "salt" to use for encrypting all
  passwords
• Use crypt() (PHP string function)

7
Create a Login Form

• ltform method"POST" action"doLogin.php"gtUsernam
  e
• ltinput type"text" name"name" size10/gt
• ltbr/gt
• Password
• ltinput type"password" name"passwd"
  size10/gt
• ltbr/gt
• ltinput type"submit" name"submit"
  value"Login"/gt
• lt/formgt

8
AuthenticatedoLogin.php

• lt?php
• include("auth.inc")
• doDBconnect()
• cryptPass crypt(_POSTpasswd, salt)
• result mysql_query("SELECT ID FROM password
  
• WHERE name\"_POSTname\" AND
• passwd \"cryptPass\"")
• if (mysql_fetch_array(result))
• echo("Successfully Logged In!
• lta href\"goodStuff.php\"gtEnter
  Sitelt/agt")
• ?gt

9
Watch it Work!

• http//projects.si.umich.edu/bartlett/authForm.ht
  ml

10
Alternative login form

• Let the browser make your login form!
• header('WWW-Authenticate Basic
• realm"My Project Name"')
• header('HTTP/1.0 401 Unauthorized')

11
How it fits in

• if (!isset(_SERVER'PHP_AUTH_USER'))
• header('WWW-Authenticate Basic realm"My
  Project Name"')
• header('HTTP/1.0 401 Unauthorized')
• echo 'Text to send if user hits Cancel
  button'
• // if
• else
• // use _SERVER'PHP_AUTH_USER' and
• // _SERVER'PHP_AUTH_PW'
• // like you would use _POSTname and
  _POSTpasswd
• // and do what you want to do if they have
  attempted a login
• // else

12
Watch it Work!

• http//projects.si.umich.edu/bartlett/sysAuth.php

13
Which to Choose?

• Make your own form
• Can have site look and feel users know it is
  part of your site
• Use browser form
• Less code for you to write
• Connection with your site is lost pops up,
  different look
• Your design decision

14
Oops!

• This authentication works fine for the page it is
  on, but everything is forgotten when the user
  goes to a new page (a "feature" of web pages)

15
Why Move Information from Page to Page

• Keep track of authentication across pages (login
  once)
• Use browser information to customize pages (check
  browser once)
• Personalize each page (ask user for name once and
  use it on each page)
• Fill a form with information from the previous
  page

16
How To?

• Add info to the URL of the next page (user can
  change it, limited size)
• Forms / hidden fields (user has to click the
  submit button to go to another page)
• Cookies (most convenient, most secure, but user
  can refuse them)
• Sessions

17
What is a cookie?

• Information for a web site that is saved on a
  users hard drive (text only)
• Stores user data between site pages and site
  visits
• Number of visits
• Login and password info
• User preferences
• Shopping cart info
• etc

18
Cookie parameters

• The name of the cookie,
• The value of the cookie,
• The expiration date of the cookie,
• The path the cookie is valid for,
• The domain the cookie is valid for,
• The need for a secure connection to exist to use
  the cookie.
• (data is often encrypted, so you can't mess with
  it)

19
What is a Session?

• The time the user spends at your Web site
• Often want info to follow the user as they use
  your site like authentication
• PHP session object
• Save info in session variables and pass it from
  page to page

20
How does a PHP session work?

• Assigns an ID number
• Stores ID and session variable values in a file
  on the server (not the client, like cookies)
• Passes the session ID to every page (so the
  server knows what file to get info from
• Cookie
• In the URL
• Gets variables from server file for each page

21
How should you handle Sessions?

• projects
• PHP version 4.3.2
• register_globals off
• session.auto_start off
• session.use_trans_sid off
• Skinner
• ??? (I don't have an account on Skinner)
• To find out, make a .php file with the following
  code and bring it up in a browser
• lt?php
• phpinfo()
• ?gt
• Other servers ???? (See PHP documentation)

22
Use _SESSION to Preserve Data Across Web Pages
in a Site

• Improved security
• Improved code readability
• Don't need to use
• session_register()
• session_unregister()
• session_is_registered()

23
Sessions on Projects (1)

• Put this line of code at the beginning of every
  page that needs the session variables BEFORE
  ANYTHING IS PRINTED
• session_start()

24
When is something printed

• Any HTML
• Wrong!!!
• lthtmlgt
• lt?php session_start() ?gt
• Right
• lt?php session_start() ?gt
• lthtmlgt
• Any echo or print
• Wrong!!!!
• lt?php echo "something" session_start() ?gt
• Right
• lt?php session_start() echo "something" ?gt

25
Sessions on Projects (2)

• Create a new session variable
• _SESSION'count' 0
• Use a session variable
• _SESSION'count' 29
• _SESSION'count'
• echo _SESSION'count'
• Destroy a session variable
• unset(_SESSION'count')
• WARNING do NOT unset(_SESSION)

26
Example

• http//projects.si.umich.edu/bartlett/junk.php

27
Security

• Attacks on session IDs
• Interception
• Prediction
• Brute-force
• Protection against these attacks
• Encryption (require SSL)
• Strong algorithm for session ID generation
• Long session ID and few concurrent sessions

28
Cookies

• http//www.phpfreaks.com/tutorials/120/0.php