View
224
Download
0
Category
Preview:
Citation preview
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
1/21
CHAPTER15
User
Authentication
Chapter 20
Stobart and Parsons
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
2/21
SECTION 1
User Authentication
Websites allow user's to login for various
reasons:
To perform transactions
To post information
To view confidential information
Users are usually authenticated using
passwords. Passwords are stored in a database as
strings, e.g:
CREATE TABLE users (
username varchar(32) NOT NULL,
password varchar(32) NOT NULL,
PRIMARY KEY (username),
KEY (password));
Both the username and password are keys(i.e. indexed) which makes it quicker to
search for a username/password
combination.
Password encryption
The password must be encrypted.
The safest form of password encryption is a
one-way cipher.
A one-way cipher can never be decrypted.
How do we know if the user has entered the
correct password if the stored passwordcan't be decrypted?
272
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
3/21
273
Encrypted password: 7a3de5
Cipher
Stored password: 7a3de5
User login
Lookup
Username: Fred Password: abc123
Passwords
Match?
User Authentication Process
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
4/21
User Account Creation
When a user creates an account either a password is automatically generated or the user
selects one.
If the password is automatically generated the user should be encouraged to change it as soon
as possible.
Only the encrypted version of the password is stored in the database.
Encryption
The PHP function crypt() can be used to encrypt the password.
crypt() performs a one-way encryption:
string crypt(string plaintext, [string salt])
The salt, which is optional, should be used since more than one user may choose the same
password.
Often the first two characters of the username are used as the salt.
The following function creates a new user account and encrypts the password:
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
5/21
$salt = substr($username, 0, 2);
$storedPassword = crypt($password, $salt);
$query = "insert into users (username, password, ...) " .
"values ('$username', '$storedPassword', ...)"
$results = mysql_query($query, $connection) or show_error();
}
?>
Note that since crypt() is a one-way function it is not suitable for storing credit card numbers
since the original numbers can not be retrieved.
User Login
Once a user account has been created the user can login.
There are two UI approaches for user login:
1.Send a 401 "authorisation required" response back to the client which results in a small
dialog box that the user must complete to gain entry.
2.Users enter their username and password into a form which is submitted to the server.
275
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
6/21
WWW Authentication
The first method requires that PHP returns a 401 header as such:
header("HTTP/1.0 401 Authorization Required");
If the user presses Cancel the HTML returned will be displayed (which should indicate that
the user hasn't logged in).
If the user logs in it will reload the page with the user's credentials.
PHP stores the user's credentials in the $_SERVER global array with the keys
PHP_AUTH_USER and PHP_AUTH_PW
The following example demonstrates 401 authentication:
276
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
7/21
http://dwarf.ict.griffith.edu.au/~s772824/examples/basic_auth/
This method of user authentication is used less frequently mainly for aesthetic reasons.
277
http://dwarf.ict.griffith.edu.au/~s772824/examples/basic_auth/http://dwarf.ict.griffith.edu.au/~s772824/examples/basic_auth/7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
8/21
User Login Form
The user login form should have fields for the username and password.
The password field should be oftype="password", which hides the password from the
user.
The username and password will be sent to the server in the clear, to encrypt the form
contents use https://
The following function encrypts the password the user typed in and compares the username
and encrypted password with that stored in the table:
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
9/21
"AND password = '$encryptedPassword'";
$result = mysql_query($query, $connection) or show_error();
return (mysql_num_rows($result) == 1);
}
?>
User Authorisation
User authentication is determining if the user is who they say they are.
User authorisation is determining if the user has permission.
Some pages in your application may not be accessible by the logged in user, or require a user
to be logged in to view them.
If a user isn't logged in, or doesn't have the right permission level either an error can be
displayed or a version of the page displayed which has limited functionality.
Once a user has logged in the web application must remember that the user is logged in for
each page visited.
The currently logged in user should be stored in a session variable.
There is no need to store the password, only the username (or user id) needs to be stored.
279
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
10/21
Each web page may indicate at the top of the page the currently logged in user.
Either the username or the user's first or full name can be displayed.
If the information other than the username (such as first or full name) is displayed in each
page then it may be useful to store these in session variables for easy access.
If not, then the user table will need to be accessed on each page to retrieve the user's details.
280
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
11/21
SECTION 2
External Authentication
OpenID and OAuth allow users to be
authenticated with an existing username
and password from a different system.
Examples of websites that support OpenID
or OAuth:
281
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
12/21
Advantages of External
Authentication:
Users don't need to create a new username
and password
Users don't need to re-enter common
information
Account can be linked to the other service
provider providing additional features, e.g.
post to Facebook (only with OAuth)
OpenID or OAuth?
OpenID is used solely to identify the user
OAuth is a mechanism that allows a website
to access the services of another website
(e.g. post to Facebook)
OAuth 2.0 authentication
OAuth authentication requires that the
client website registers with an OAuth
provider website.
In the case of Facebook, you would need to
register an 'app' with Facebook.
Facebook provides you with anApp ID
which is used to identify your application
Your website launches the Facebook
authentication dialog which handscontrol over to Facebook.
The user logs in (if they aren't already) and
authorises the app.
If authentication and authorisation
successful Facebook redirects to a URLspecified by your website with an access
token that must be passed to every
interaction with Facebook and eventually
expires.
282
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
13/21
OAuth 2.0 Authentication Process
283
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
14/21
SECTION 3
Two-factor Authentication
Until recently the most common form of
user authentication is through passwords.
Password authentication has a number of
problems:
Good passwords must be long and
complex and hence difficult to
remember.
Users often use simple passwords orrecord them somewhere.
Simple passwords are easy to crack.
Password authentication is prone to
phishing attacks.
Two-factor Authentication
Two-factor authentication requires another
form of authentication in addition to the
password.
There are three categories of
authentication:
Something the user knows
Something the user has
Something the user is
A user's password fits into the first
category, something the user knows.
Asking a user additional questions will still
be prone to phishing attacks, another form
of authentication is required.
284
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
15/21
On-line Bank Authentication
Two-factor authentication is more
cumbersome than simple password
authentication.
As a result many services only require two-
factor authentication for certain operations.
For example, with on-line banking, the user
only needs their password to log in, view
account balances and transfer funds
between their own accounts. However, if money is transferred to an
account which is not theirs then two-factor
authentication is used.
The most common form of two-factor
authentication is to send a one-time
password (OTP) to a mobile phone.
This is authenticates "something the user
has", i.e. the mobile phone.
Another common "something the user has"
is a one-time password dongle such as
YubiKey which generates a password which
is sent and authenticated with a server.
Biometric Authentication
Biometrics such as fingerprint scanning fall
under the category of "something the useris".
Biometric authentication may be simpler
and quicker than other forms of
authentication.
285
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
16/21
CHAPTER16
Transaction
Processing
Chapter 20
Elmasri and Navathe
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
17/21
SECTION 1
Transaction Processing
When multiple users are concurrently
accessing and updating the same database,
incorrect results can be returned andincorrect updates can be performed unless
special care is taken.
Examples
In these examples, two or more
transactions - sequences of operations -
are performed concurrently.
An interleaved set of transactions - a
sequence of operations from multiple
transactions - is called a schedule.
Example 1: Banking
Suppose X = 100.
T1: Read X, Add 10 to X, Write X T2: Read X, Add 20 to X, Write X
More precisely, each transaction reads X
into a local variable, updates the local
variable, then writes the local variable to X.
Schedule:
(1) Read X = 100
(1) Add 10 to X = 110
(2) Read X = 100
(2) Add 20 to X = 120
(2) Write X = 120
(1) Write X = 110
After this schedule, X has value 110. But
after either T1 - T2 or T2 - T1, it should have
value 130.
287
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
18/21
Example 2: Summation
Suppose the database contains data items
X1 to X4 with values 10 to 40. Transaction
T1 computes the sum of all data items in the
database. Transaction T2 deletes item X1and inserts item X5 with value 50. The sum
computed by T1 should be either 100 or
140. But consider the following schedule:
(1) Read X1
(1) Read X2(1) Read X3
(2) Delete X1
(2) Insert X5
(1) Read X4
(1) Read X5
(1) Write Sum (of X1 to X5)
This schedule writes the Sum 150 to the
database. But this does not correspond to
any possible state of the database.
Example 3: User registration
Suppose transactions T1 and T2 each insert
a new user (with the same name) into the
database. Each transaction should have the
following structure:
Get name (and details) from form;
if (name is not in the database) {...
Insert the name (and details)
into the database;
}
If T1 and T2 are executed concurrently, it is
possible that each will determine the (same)
name is not in the database, and each will
then insert the (same) name into the
database, resulting in two occurrences of
the name in the database.
288
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
19/21
ACID Properties of Transactions
Atomicity
A transaction is an atomic unit of
processing. It should either be
performed in its entirety or not
performed at all.
Consistency
If a transaction is completely executed
from beginning to end it should leave the
database in a consistent state.
Isolation
A transaction should appear as though it
is being executed in isolation from other
transactions, even though many
transactions are executing concurrently.
Durability
The changes applied to the database by a
committed transaction must persist in
the database.
A database management system that
ensures transactions satisfy theseconditions is calledACID-compliant.
Serialisation
To ensure the ACID properties are satisfied,
schedules must be serialisable.
i.e., even if operations of two or moretransactions (e.g., T1, T2, T3) are
interleaved, the overall effect must be the
same as if they were executed in some serial
order (e.g., T1 - T3 - T2).
Serialisation is normally implemented
using locks.
Locks restrict access to data items (tuples,
pages, tables).
289
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
20/21
Aread lock on an item allows other
concurrent processes to read the item but
prevents other processes from writing the
item.
Awrite lock on an item prevents otherprocesses from reading or writing the item.
Two-phase Locking
To ensure schedules are serialisable, the
two-phase locking protocol must beused:
Acquire all locks before releasing any locks.
To ensure schedules are serialisable, avoid
deadlocks, are recoverable, and have other
desirable properties, the strict two-phaselocking protocol must be used:
Acquire all locks before releasing any locks,
and maintain all write locks until the end of
the transaction.
Locks in MySQL
In MySQL versions before 4.0, read and
write locks had to be explicitly obtained and
released.
These locking and unlocking commands are
sent to the database server from the PHP
script.
The commands are:
LOCK TABLE name READ
LOCK TABLE name WRITE
UNLOCK TABLE name
UNLOCK TABLES
Note that the only data items that can be
locked are complete tables.
Commercial databases perform locking atthe page or row level, which allows more
parallelism.
290
7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29
21/21
In MySQL versions from 4.0 onwards, with the InnoDB storage engine, the higher level SQL
commands may be used:
START TRANSACTION
COMMIT
ROLLBACK
The normal pattern of usage in a PHP script is the following:
Much easier! (But you still need to be careful to include all required operations inside the
transaction.)
291
Recommended