Controlling Web Site Access UsingLoginsCS 320

Basic Approach HTML form a php page that collects the username and

password Sends them to second PHP page that validates the login

PHP page queries database for username and password If found, stores their userid (customerid, or whatever is the

primary key identifying them) in a session variable and displays the next page

If not found, returns them to the initial login page with an appropriate message (Username or password incorrect)

Example: http://leela/CS320/Students/stevende/PHPLogin/candy_login.php

Basic Concepts

Session variables Working with session variables Command to forward the user to a different

page PHP include command Preventing a user from directly accessing a

page that requires a login What is a SQL Injection attack?

Session Variables When you request a Web page, the Web

server creates a session object corresponding to your browser sessionThis information is stored in the Web server's main

memoryEach time you connect to a Web site, you create a

new session If you connect to the same Web site on the same

client computer using 2 different browsers, each browser makes a separate session

Session Variables Sessions have attributes that you can

retrieve and display using program commands A program running on the Web server

can create session variables that store data values associated with a specific browser sessionValues are stored in Web server RAM and

associated with the session object

Session Timeout Intervals By default, server/browser sessions "time out"

(close) after a specific period of inactivity: Microsoft IIS: 20 minutes Tomcat: 30 minutes You can change these values to longer/shorter ones

At that point, the session closes and the session object is destroyed All session variable data is lost!

Login Approach Using a Session Variable Run a database query to determine if

username/password is valid If it is, create a session variable Variable is then checked (to see if it exists) by other

pages requiring login All of these pages redirect to the login page if this

variable isn’t found

Using session variables in PHP Before storing or retrieving session variables

Start a new session or resume the existing session with this php code at the top of every page using session variables – it must be before any html or text is sent

Registers the user's session with the server Assigns a UID (unique identification number) for the user's session

if this is the first page requested by this browser from the server

PHP Session Variable Commands To create a session variable:

To create a session variable and assign an initial value:

To read a session variable and assign its value to a PHP program variable:

<?php $_SESSION["varName"] = "varValue"; ?><?php $_SESSION["userid"] = “STEVENDE"; ?>

<?php $newVar = $_SESSION["varName"] ?><?php $currUserID = $_SESSION["userid"]; ?>

<?php $_SESSION["varName"]; ?><?php $_SESSION["userid"]; ?>

PHP Session Variable Commands To unset a session variable

To test for existence (assumes already assigned the session variable value to a variable named $currUserID)

<?php unset($_SESSION["varName"]); ?><?php unset($_SESSION["userid"]); ?>

<?php if (is_null($currUserID) == true) {

//wasn't found, do something …} ?>

PHP command redirecting to a different page header("Location:Login.php"); What does this command really do?

From the Web server’s PHP page to the browser: Sends a request to the user’s browser asking the user’s

browser to in turn send back a request for the specified page From the browser to the Web server:

Receives the request from the server and sends back to the Web server a request for the specified page

And from the Web server to the browser: Sends back the newly requested page

Must be placed before any html is sent to the browser!

Login page sequence

Candy_Login.php

1. Receive user and password values as parameters

2. Run query to retrieve CUST_ID based on username and password values

3. If succeed:i. Create session variable = CUST_ID valueii. Go to next page in application

If fail:i. Go back to CandyLogin.php and display an error message

processCandyLogin.php

Candy_Login.php Code<?php session_start(); //remake the session variable in case it already exists unset($_SESSION["cust_id"]); ?>

<html><head><title>Candy Login</title></head><body><form name="frmLogin" action="processCandyLogin.php"><!– form inputs --></form>

<?php error_reporting(NULL); $msg = $_REQUEST["msg"]; if($msg == "invalidLogin") { ?> <b>Invalid Login - Please try again</b><?php } ?>

processCandyLogin.php Code<?php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST["cust_username"];$cust_password = $_REQUEST["cust_password"];

//Add code to include the file that contains the connection commandsinclude("Includes/connectMySQL.php");

//Add code to create and execute the database query$query = "SELECT cust_id FROM candy_customer " .

"WHERE cust_username = '" . $cust_username . "'" ." AND cust_password = '" . $cust_password . "'";

$result = mysql_query($query) or die(mysql_error());

//determine number of rows retrieved$num_rows=mysql_num_rows($result);mysql_close();

processCandyLogin.php Code//continued from previous slide

//add code to validate loginif($num_rows > 0) {

$row = mysql_fetch_array($result);$_SESSION["cust_id"] = $row["cust_id"];

header("Location:Menu.php");} else {

header("Location:candy_login.php?msg=invalidLogin");} ?>

Candy_Login.php Code revisted<?php session_start(); //remake the session variable in case it already exists unset($_SESSION["cust_id"]); ?>

<html><head><title>Candy Login</title></head><body><form name="frmLogin" action="processCandyLogin.php"><!– form inputs --></form>

<?php error_reporting(NULL); $msg = $_REQUEST["msg"]; if($msg == "invalidLogin") { ?> <b>Invalid Login - Please try again</b><?php } ?>

Preventing a user from directly accessing a page that requires a login Test for the existence of the session variable Put this code at the top of pages that shouldn't be accessed

unless the user has logged in successfully<?php session_start(); //attempt to retrieve the session variable value$userid = $_SESSION["cust_id"];

if(is_null($userid) == true) { // they haven't logged in - send them back to the login page header("Location:candy_login.php"); die();}?><html><head><title>Candy Login</title></head><body> … </body></html>

Moving database connection code to a separate file using an include

PHP include command allows inserting contents of a file within the current file

<?php session_start(); // Add code to retrieve username and password from the previous page // and store them in PHP variables $cust_username = $_REQUEST["cust_username"];$cust_password = $_REQUEST["cust_password"];

//Add code to include the file that contains the connection commandsinclude("Includes/connectMySQL.php");

Moving login verification to separate file Contents of the included file:

<?php// add code connecting to the MySQL databasemysql_connect("dario.cs.uwec.edu",“STEVENDE","******") or die("Could not connect to MySQL. The reported SQL error is:" . mysql_error());

mysql_select_db(“STEVENDE")or die("Could not connect to the database. The reported SQL error is: " . mysql_error());?>

Includes/connectMySQL.php

What is a SQL Injection Attack?

A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands

Possible when a query is concatenated together from user inputs and tests to see if any rows are retrieved

Performing the Attack:

Enter a stolen username Enter password as:

Search condition sent to DB (always evaluates as true):

All user rows returned to application If application checking for 0 vs. more than 0 rows, attacker is in!

Foo’ OR ‘1=1

SELECT * FROM usersWHERE username = ‘STEVENDE'AND Password = ‘Foo’ OR ‘1=1’

Database Dark Humor:

Bottom Line:

TEST for SQL injection attacks! If your system allows them:

Research how to prevent based on your PHP version