Authentication for Web Application Security

In the last article we started to build our site and then continued to explore the login script. In this article we will continue to explore the script but will also discuss in detail the process of authentication and its security implications. We will eventually look at some of the common attacks that are perpetrated by malicious users. Join us in this fourth part of an eight-part series.

The Login Script continued

Since we’ve already explored and discussed the JavaScript code, let’s go through the actual login script. Here’s the PHP code for the login form:


<?

session_start();

//someone registered?

if(isset($_GET['reg'])){

$reg="Your details have been added, please login";

}

$error=false;

$errmsg="";


//has form been submitted

if(isset($_POST['key'])){


//check that the username and password is not empty

if( empty($_POST['uname']) && (empty($_POST['upass']))){

print "Please enter your username and password.";

$errmsg="Please enter your username and password.";

$error=true;

}


//check that the username and password is string

if( is_numeric($_POST['uname']) && (is_numeric($_POST['upass']))){

print "Please enter a valid username and password.";

$errmsg=" Please enter a valid username and password.";

$error=true;

}



//if no error then start authentication process

if(!$error){


//transfer to shorter var

$n=$_POST['uname'];

$p=$_POST['upass'];



//connect to db

include(‘../config.inc’);

//clean using mysql cleaner

$cleanuname=mysql_real_escape_string($n);

$cleanupass=mysql_real_escape_string($p);

$query="select uname,pw from users where uname=’$cleanuname’ and pw=’$cleanupass’ ";

$result=mysql_query($query);


$num=mysql_num_rows($result);

if($num>0 ){


//put in session vars

session_start();

$mytime=time();

$mytime=date("H:i:s A",$mytime);

$_SESSION['time'] = $mytime;

$_SESSION['status'] = ‘logged';

$_SESSION['username'] = $cleanuname;

//goto next page

header("location:welcome.php");

exit;

}

}else{

$_SESSION['status'] = ‘not logged';

$errmsg="Your username ($n) and password do not match, please try again.";

}

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/primary/Templates/was.dwt.php" codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>WebSecure::Login</title>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –>

<!– InstanceEndEditable –>

<link href="Templates/was.css" rel="stylesheet" type="text/css" />


<script language="javascript" type="text/javascript">

function checkform(pform1){

if(pform1.uname.value==""){

alert("Please enter a username")

pform1.uname.focus()

return false

}


if(pform1.pw.value==""){

alert("Please enter a password")

pform1.pw.focus()

return false

}


if(pform1.pw.value=="" && pform1.uname.value==""){

alert("Please make sure that you have entered your username and password")

return false

}

return true

}

</script>

</head>


<body>

<table width="99%" border="1">

<tr>

<td bgcolor="#333333" class="header">Web Secure</td>

</tr>

 

 

<tr>

<td><!– InstanceBeginEditable name="main" –>

<form name="form1" onSubmit="return checkform(this)" method="post" action="">

<table width="41%" border="0" align="center" cellpadding="0" cellspacing="3">

<tr class="listtop">

<td colspan="3">Login Status:<? if(isset($msg)){

echo "$msg";

}elseif(isset($reg)){

echo "$reg";

}?></td>

</tr>

<tr>

<td width="9%">Username</td>

<td width="41%"><input name="uname" type="text" id="uname" size="50"></td>

<td width="50%" rowspan="4">&nbsp;</td>

</tr>

<tr>

<td>Password</td>

<td><input name="upass" type="text" id="upass" size="50">

<input type="hidden" name="key" /></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><a href="../password.php">Forgotten your password?</a>|<a href="register.php">Register</a></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><input type="submit" name="Submit" value="Login"></td>

</tr>

</table>

</form>

<!– InstanceEndEditable –></td>

</tr>

<tr>

<td class="copy">&copy;2008</td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>



{mospagebreak title=Code Explained}

When the form is submitted, a hidden form value called “key” is sent to the PHP portion of the script. We will use this value to test whether or not the form has been submitted. Usually we would use the submit button value, but I’ve noticed that sometimes users simply press the return key instead of the submit button on the form; the form gets submitted and nothing happens. By using this hidden key, we avoid this issue because it works for both the form button and the return key.

The code starts by checking to see if a querystring value called “reg” has been received and places an appropriate message in the $reg variable. This code is an extension of the registration script which we will discuss later:

session_start();

//someone registered?

if(isset($_GET['reg'])){

$reg="Your details have been added, please login";

}


The next part sets up some variables that we will require in the script. The $error and $errmsg variables are used to determine if an error occurred, and if so, an error message is stored in the $errmsg variable:


$error=false;

$errmsg="";


Then we check to see if the form has been submitted:

//has form been submitted

if(isset($_POST['key'])){


Once the form has been submitted, we have to filter the data to see if it is valid. How do we check its validity? In this case we know that both the username and password should be of type string and not of type integer. So we first test to see if the form values are empty, using PHP’s commonly available empty() function:


//check that the username and password is not empty

if( empty($_POST['uname']) && (empty($_POST['upass']))){

print "Please enter your username and password.";

$errmsg="Please enter your username and password.";

$error=true;

}


Secondly we check to see if the values are of type string:


//check that the username and password is string

if( is_numeric($_POST['uname']) && (is_numeric($_POST['upass']))){

print "Please enter a valid username and password.";

$errmsg=" Please enter a valid username and password.";

$error=true;

}


Provided that no errors occurred, the form values contain something and are of the right type, then we continue to transfer the form values into shorter variables:


//if no error then start authentication process

if(!$error){


//transfer to shorter var

$n=$_POST['uname'];

$p=$_POST['upass'];



 

This is just to make it easy work with the variables; you do not have to follow this step at all. Next we call or include the config file. This file of course contains the database connection details:


//connect to db

include(‘../config.inc’);


Then we apply the final filter that will clean the form values of any unnecessary spaces, and so forth. This function is called mysql_real_escape_string():


//clean using mysql cleaner

$cleanuname=mysql_real_escape_string($n);

$cleanupass=mysql_real_escape_string($p);

{mospagebreak title=Code continued}

Now we run the SQL to see if this user has the right to access our website. Notice that the query does not retrieve ALL the data from the database, but that it filters the data by retrieving only the fields, in this case uname and pw, that it requires. You can also filter the data further by only checking for the password.


$query="select uname,pw from users where uname=’$cleanuname’ and pw=’$cleanupass’ ";

$result=mysql_query($query);


We test to see if the query returned any results by using the mysql_num_rows() function.


$num=mysql_num_rows($result);

if($num>0 ){


If this function returns a value that is greater than zero, we proceed to put the form values into the appropriate session variables:


//put in session vars

session_start();

$mytime=time();

$mytime=date("H:i:s A",$mytime);

$_SESSION['time'] = $mytime;

$_SESSION['status'] = ‘logged';

$_SESSION['username'] = $cleanuname;


These variables are going to be used later on in all the pages of the site. An effective way to test if a user has the right to visit a certain page on your site is to check to see if the $_SESSION['username'] is set; if not, then you know that that user needs to be redirected to the login page. The user is sent to the Welcome (or index) page of the site, after successful authentication:


//goto next page

header("location:welcome.php");

exit;

}


if the authentication process failed, the user is informed of this:

}else{

$_SESSION['status'] = ‘not logged';

$errmsg="Your username ($n) and password do not match, please try again.";

}

}

?>


Here’s screenshot of the login page:

{mospagebreak title=Authentication}

So what is authentication all about? Authentication is the process by which a user’s identification is proven. This is usually done by checking the user’s password and username as demonstrated above. This typically takes place in a login form. Therefore, when a user is logged in, he or she will be authenticated.

After a user is authenticated, he or she will have access to a particular part or entire web site or application. If we take the example of a blog, only the administrator will have access to the administration part of a blog, while a normal user will only be able to add comments on a particular topic. This method of allowing different users access to certain areas and denying others the same access is called authorization or access control.

Basically, there are two primary methods of authentication. The preferred method is through an HTML form, as coded here: 


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/primary/Templates/was.dwt.php" codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>WebSecure::Login</title>


<script language="javascript" type="text/javascript">

function checkform(pform1){

if(pform1.uname.value==""){

alert("Please enter a username")

pform1.uname.focus()

return false

}


if(pform1.pw.value==""){

alert("Please enter a password")

pform1.pw.focus()

return false

}


if(pform1.pw.value=="" && pform1.uname.value==""){

alert("Please make sure that you have entered your username and password")

return false

}

return true

}

</script>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –>

<!– InstanceEndEditable –>

<link href="Templates/was.css" rel="stylesheet" type="text/css" />

</head>


<body>

<table width="99%" border="1">

<tr>

<td bgcolor="#333333" class="header">Web Secure</td>

</tr>

 

 

<tr>

<td><!– InstanceBeginEditable name="main" –>

<form name="form1" method="post" action="" onSubmit="return checkform(this)">

<table width="41%" border="0" align="center" cellpadding="0" cellspacing="3">

<tr class="listtop">

<td colspan="3">Login Status:<? if(isset($errmsg)){

echo "$errmsg";

}elseif(isset($reg)){

echo "$reg";

}?></td>

</tr>

<tr>

<td width="9%">Username</td>

<td width="41%"><input name="uname" type="text" id="uname" size="50"></td>

<td width="50%" rowspan="4">&nbsp;</td>

</tr>

<tr>

<td>Password</td>

<td><input name="upass" type="password" id="upass" size="50">

<input type="hidden" name="key" /></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><a href="../password.php">Forgotten your password?</a>|<a href="register.php">Register</a></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><input type="submit" name="submit" value="Login"></td>

</tr>

</table>

</form>

<!– InstanceEndEditable –></td>

</tr>

<tr>

<td class="copy">&copy;2008</td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>


This is the most widely used and most preferred method of authentication. From a developer’s point of view it is also the safest and gives virtually unlimited control to the programmer.

Conclusion

In the next article we will continue to discuss authentication and also try to complete the creation of our site.

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan