Authentication Authorization

1
Authentication / Authorization

• Users and Access Control

2
Authentication

• Who you are

3
Authorization

• What you can do

4
Authentication Authorization

• Ex Scanning your card at a door.
• Scanner looks up card ID, resolves it to a person
  ID
• Checks if person is allowed to open door
• Unlocks door (if appropriate)

5
Authentication without Authorization

• You Your Passport
• CAS

6
Authorization without Authentication

• Combination lock
• Thruway Ticket

7
Access Control in PHP

• Using tools we already know (and love)
• Store User name password in a mysql database
• Use header() to bounce
• Unauthenticated users to the login page
• Create a login page with a user name and password
  input it should post to your authenticated
  page.

8
MD5

• Because you dont trust your DBA
• sql select pass, id
• from users
• where id . id . and
• pass md5(. pass.)

Md5() is a mysql function
9
More MD5

• MD5 returns a non reversible hash of a string
• MD5 returns the same hash for a given string
  every time it is called
• MD5 may return the same hash for two different
  input strings

10
Improvement 1

• Add a DB field that holds a user type
• (visitor/admin)
• Create admin.php
• It only allows admin users in
• Create visitor.php
• It allows either type of user in

11
EXIT

• Must call exit() directly after header() is
  called
• Prevents code from being executed even if user
  has been bounced to alternate URL
• exit() is equivalent to die() both stop the
  script from being executed

12
Improvement 2

• Wordpress
• has a user type field
• User types 1 10
• Each user type as all authorizations of the users
  below it, plus extras
• (Why isnt this a scaleable model?)

13
Improvement 2

• Groups
• Allow a user to belong to N groups
• Certain sections of your website require the user
  belong to a certain group to gain access
• This is how Drupal and portal frameworks work.

14
Improvement 2
15
Persistence

• Dont want user to re-login at every
  authenticated page
• Cookies / Sessions are used to maintain
  information across pages

16
Bad Persistence Ideas

• Stuffing User / Pass in a Cookie
• Setting creating an authenticated cookie and
  setting it to true after a user authenticates

17
Better Persistence Ideas

• Store Username / Password in a Session
• Limited but secure
• Store Session ID, IP and timestamp in mysql
• Expandable
• Login INSERTs a row
• Logout DELETEs a row

18
_SESSION

• session_start()
• Initiates a session
• session_id()
• Returns the unique session id
• session_destroy()
• Removes session data from memory
• To log out a user, you should call
  session_start() again.