Authentication
PHP Mechanisms
- PHP gives a lot of control over the authentication process.
For example, PHP could be used to not allow access during
times when system maintenance is being performed.
- PHP provides a set of session superglobals in the $_SERVER array.
For example, $_SERVER["REMOTE_ADDR"] stores the IP address
of the client.
- PHP provides built-in encryption functions. Of special
interest is
sha1, a one way encryption function that
returns a 40 character hexadecimal string based on
Secure Hash Algorithm 1.
Lecture Code
The code below allows a user to login to a very simple
application. Once the user is logged in, she can either
change her password or signout. The code illustrates some
very simple security precautions.
Preliminaries
The code below assumes that a database named
authentication is set up that contains a table
named accounts. The accounts table
has a username field of type varchar(50) and a
password field of type char (40). The username
is the primary key of the table.
- addUser.php: adds a user
named john with a sha1 encrypted password
of paxton into the accounts table
described above. The purpose of this is to have
a known, valid user. This file is unrelated to the
8 files below that all work together.
HTML File
- login.html: collects a username and
password and then takes the user to the loginVerify.php page.
Include Files
- authenticate.inc -
the authenticateUser
method makes sure that a user is a valid one. The
sessionAuthenticate method checks to make sure that
the session is a valid one and has not been hijacked.
- update.inc - updates
a user's password.
PHP Files
- loginVerify.php -
sends the user to home.php if the login information
was correct and to the logout.php page otherwise.
- home.php - an authorized
user can either go to password.php or logout.php.
- password.php - an
authorized user can (1) enter her old password, a new
password and a confirmation of the new password,
(2) go back to home.php or (3) go to logout.php.
- change.php - if the
information required to change the password is legal,
the password will be changed. The user is taken back
to the password.php page.
- logout.php - an exit message
is displayed and the user is given the option to go
to the login.html page.
Secure Sockets Layer Protocol
- In the above application, the username and password
are not encrypted when they are passed from the browser
to the web server. This can be remedied by using the
SSL protocol. (Websites that use SSL can be identified
by https: as the URI prefix. This stands for HTTP over
SSL.)
- The current version of SSL is 3.0.
- SSL is the predecessor to TLS, transport layer security.
The two protocols are similar.
- SSL provides privacy
- SSL provides integrity
- SSL provides authentication
- SSL sits between the browser and TCP/IP (or between
the web server and TCP/IP).
- The default port for SSL is 443. The default port
for HTTP is 80.
- The combination of techniques that an SSL connection
can negotiate are called cipher suites. These
can include message digests, digital certificates and
encryption techniques.
- An SSL session begins by the browser and server
negotiating a cipher suite. Then, a secret key is
shared between the server and client. Finally, the
browser authenticates the server by examining the server's
X.509 digital certificate. Once all of this has taken
place, transmission can begin between the client and server.
- Wikipedia website.
- OpenSSL website
Laboratory
Do something interesting and non-trivial that involves authentication.
If you are a Montana State student, demonstrate it during
today's lab period. If you are a University of Leipzig student,
either demonstrate it during today's lab period or e-mail it to
Sebastian (loewe AT uni-leipzig.de) no later than the end of the day.