Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview Getting Username and Password ...

Chapter 6: AuthenticationsChapter 6: Authentications

Tra

inin

g C

ou

rse, C

S, N

CTU

2

OverviewOverview

Getting Username and Password Verifying Username and Password Keeping The Verification Result

Tra

inin

g C

ou

rse, C

S, N

CTU

3

Getting Username and Password (1)Getting Username and Password (1)

Two methods to get username and password from browser.• HTTP Authentication with PHP

• Taking use of HTML ‘<form>’ tag.

HTTP Authentication with PHP• Taking use of HTTP Header

• Headers Sent: WWW-Authenticate: Basic realm="My Realm” HTTP/1.0 401 Unauthorized

• Example<?phpheader('WWW-Authenticate: Basic realm="PHP Tranning"');header("HTTP/1.0 401 Unauthorized");?>

Tra

inin

g C

ou

rse, C

S, N

CTU

4


• To get user’s input Using the super-global: $_SERVER[‘'PHP_AUTH_USER ’] The basic HTTP authentication example

<?phpif (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button';} else { echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>"; echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";}?>

Tra

inin

g C

ou

rse, C

S, N

CTU

5


Digest HTTP Authentication example – When using HTTP Basic Authentication, the username-password pair is

effectively transmitted in the clear.

– Using digest authentication, your password is never sent across the network in the clear, but is always transmitted as an MD5 digest of the user's password.

– This mechanism is alternative authentication method. Hence, We don’t describe more detail about it.

– If you are interesting in this method, you can refer the example of PHP manual.

Tra

inin

g C

ou

rse, C

S, N

CTU

6


Taking use of html ‘<form>’ tag• Using POST method to get user’s input.

Note: GET is not recommended because it appears in URL.

• Example

<form method="POST" action="6-2.php">Username: <input type="text" name="user"> <br />Password: <input type="password" name="pass"> <br /><input type="submit" value="Login"><input type="reset" value="Clear">

<?phpecho "<p>Hello {$_POST['user']}.</p>";echo "<p>You entered {$_POST['pass']}", " as your password.</p>";?>

Tra

inin

g C

ou

rse, C

S, N

CTU

7


Practicing• Creating a HTML page in order to input username, password, and ot

hers data which you want to know, for example, name, birthday, mail address, or simple math question.

• Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself.

• When it received username, password, and others user’s input, show it on browser

http://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.htmlhttp://tphp.cs.nctu.edu.tw/tphp/pr6-1_1a.txthttp://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.phphttp://tphp.cs.nctu.edu.tw/tphp/pr6-1_1b.txt

Tra

inin

g C

ou

rse, C

S, N

CTU

8

Verifying Username and Password (1)Verifying Username and Password (1)

Verification• After getting the username and password from users, the coming

problem is “how to check” the correctness.• How to encrypt the password? We do not mention here.

We only protect service from malformed connections.

Approaches• To record the username/password in

PHP Arrays Databases

• To take use of existing services. FTP POP3/IMAP

• …etc.

Tra

inin

g C

ou

rse, C

S, N

CTU

9


Verification using PHP array• To record the “username => password” maps in an array

• Example$users = array( 'Mary' => 'aa123', 'John' => 'uupx', 'Jerry'=> 'password');

function auth(){ header('WWW-Authenticate: Basic realm="PHP Tranning"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button';}function check_auth($usr, $pwd){ global $users; if ($users[$usr] == $pwd) return TRUE; else return FALSE;}

$un = $_SERVER['PHP_AUTH_USER'];$up = $_SERVER['PHP_AUTH_PW'];if (!isset($un) || !check_auth($un, $up) ) { auth();} else { echo "<p>Hello {$un}.</p>"; echo "<p>You entered $up as your password.</p>"; }

Tra

inin

g C

ou

rse, C

S, N

CTU

10


Verification using databases• To record the “username => password” maps in a database table.

• Example (change the check_auth function in previous example)

$link = mysql_connect("localhost", "ystseng", “xxxxxx") or die(mysql_errno($link).": ".mysql_error($link));

mysql_select_db("ystseng_tphp", $link) or die(mysql_errno($link).": ".mysql_error($link));

function check_auth($usr, $pwd){ global $link; $sql = "Select ID From auth Where username='$usr' And password='$pwd'"; if (!($result = mysql_query($sql, $link))) return false;

if (mysql_num_rows($result) == 1) return true; else return false;}

Tra

inin

g C

ou

rse, C

S, N

CTU

11


Verification using existing FTP Service• Try to login to an existing FTP site, if FTP site accepts the username

and password, we accept it too.


function check_auth($usr, $pwd){ $ftp_server="tphp.cs.nctu.edu.tw"; $conn_id = ftp_connect($ftp_server);

// login with username and password $login_result = ftp_login($conn_id, $usr, $pwd);

// check connection if ((!$conn_id) || (!$login_result)) $result = FALSE; else $result = TRUE;

ftp_close($conn_id); return $result;}

Tra

inin

g C

ou

rse, C

S, N

CTU

12


Verification using existing E-Mail Service• Try to login to an existing Mail Server, check if the username and pa

ssword accepted by the E-Mail Server (Protocol: POP3, IMAP).


function check_auth($usr, $pwd){ $ret = @(imap_open("{msa.hinet.net:143}", "$usr", "$pwd", OP_HALFOPEN)); $auth = $ret ? true : false; if ($ret) imap_close($ret);

return $auth;}

Tra

inin

g C

ou

rse, C

S, N

CTU

13


Practicing• Creating a HTML page in order to input username, password, and ot

hers data which you want to know, for example, name, birthday, mail address, or simple math question.

• Creating a PHP page which can receive authentication information from above HTML page with POST method. If it cannot reveice authentication data from POST method, it must produce a authentication input message box itself.

• When authentication information is correct, it will show “hello message” and visited counter. This visited counter can store in cookie (remember to set expire time)

• Hits: You can use array variable in your PHP code or database to store userna

me and password which be compared with user’s input.

http://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.htmlhttp://tphp.cs.nctu.edu.tw/tphp/pr6-2_1a.txthttp://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.phphttp://tphp.cs.nctu.edu.tw/tphp/pr6-2_1b.txt

Tra

inin

g C

ou

rse, C

S, N

CTU

14

Keeping The Verification Result (1)Keeping The Verification Result (1)

After authentication, we have to keep username and password that user types.• While using the “HTTP Authentication”, browsers will send the user

/pass in header before closed.

• While using “HTML <form> tag”, we have to keep data ourselves.

• Methods Using <intput type=hidden> while jumping between pages.

– Not suitable, easily loss, and username/password will appear in HTML.

cookie and session mentioned in chapter 4.– Difference

» cookie stores in client side, session in server side.

» session ends with browser closed, cookie can be kept for longer time.

Tra

inin

g C

ou

rse, C

S, N

CTU

15


• Examples We design a function to check whether login successfully If no, redirect browsing page to login page Login procedure will check username and password When it login successfully, it will redirect again to original page.

http://tphp.cs.nctu.edu.tw/tphp/ex6-3_login.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_1.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_2.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_3.php http://tphp.cs.nctu.edu.tw/tphp/ex6-3_logout.php

Tra

inin

g C

ou

rse, C

S, N

CTU

16


ex6-3_inc.php– library function. It will be include all PHP pages.

<?php $users = array("peter" => "1234", "mary" => "abcd");

function check_auth() { global $users;

if ($_COOKIE['PASS'] === null || $_COOKIE['USER'] === null) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } if (md5($users[$_COOKIE['USER']]) != $_COOKIE['PASS']) { header("Location: ex6-3_login.php?URL=$_SERVER[PHP_SELF]"); } }?>

Tra

inin

g C

ou

rse, C

S, N

CTU

17


ex6-3_login.php– Login PHP page.

……<form action="ex6-3_auth.php" method="post"><input type="hidden" name="URL" value="<?=$_GET['URL'] ?>">Username: <input type="text" name="USER"><br>Password: <input type="password" name="PASS"><br><input type="submit" value="Login"></form>……

Tra

inin

g C

ou

rse, C

S, N

CTU

18


ex6-3_auth.php– Login procedure PHP page.

<?php require_once("ex6-3_inc.php");

if ($users[$_POST['USER']] == $_POST['PASS']) { setcookie("USER", $_POST['USER'], time() + 3600); setcookie("PASS", md5($_POST['PASS']), time() + 3600);

if ($_POST['URL']) { /* redirect to original page */ header("Location: http://$_SERVER[SERVER_NAME]$_POST[URL]"); } else { header("Location: ex6-3_1.php"); } } else { echo "Wrong username or password"; }?>

Tra

inin

g C

ou

rse, C

S, N

CTU

19


ex6-3_1.php– Data PHP page.

ex6-3_2.php– Data PHP page.


check_auth();

echo "Hello, $_COOKIE[USER], this file is ex6-3_1.php";?>


check_auth();

echo "hay!, $_COOKIE[USER], this file is ex6-3_2.php";?>

Tra

inin

g C

ou

rse, C

S, N

CTU

20

Q&AQ&A

Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview Getting Username and Password ...

Documents

Transcript of Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview Getting Username and Password ...