Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY - PowerPoint PPT Presentation

Authentication Dr. Steven Bitner

Hashing  Hashing is ONE WAY encryption  You cannot retrieve the plain text  Common hashes:  md5  sha1  sha256 $password = hash (md5,$password);  Better (though less common hash) – Bcrypt  http://kc-sce- sphp01.kc.umkc.edu/~bitners/showCode.php?page=resource s/hash/hasher.php

More hashing  Never store any passwords plaintext  Most people in the PHP community look down on your code if you don’t use Bcrypt, but anything is better than nothing.  On new projects, you are best to start off with Bcrypt  Why:  Automatically generates salts  It’s really slow  It’s really, really slow if you want it to be  If you want more info http://codahale.com/how-to-safely-store-a- password/

Hashing in action  http://kc-sce- sphp01.kc.umkc.edu/~bitners/showCode.php?page=hashT est.php

Sessions  Stored on the server  Temporary (unless set up to store to a DB or other persistent data storage)  Must open a session before anything else session_start();

Cookies  Stored on the user’s machine  They need to accept cookies  Persistent  Can expire at the end of the session, or at some point in the future  Must be sent before any other information (e.g. echo statements)

Setting a cookie setcookie ('cookieName', /*required*/ 'value', 'expiration', /*default=0*/ 'path', 'domain', SSL/TLS?, /*default=false*/ HTTP only?); /* ^ */

Viewing cookies

Registering new users  Decide what info will be used for login  Username or email address  Email validation  As of PHP 5.2 $email = filter_var('bitners@umkc.edu', FILTER_VALIDATE_EMAIL);  All usernames should be unique to ensure that a user is getting their login credentials only  Can check by attempting to insert  Can check by querying the DB  What info do you really need?  Permissions control, email lists etc.

Think about what's really important http://xkcd.com/970/

User maintenance  Should be able to change password  Should be able to update other information  Should be able to request new password

Logout  Unset all $_SESSION variables session_start(); session_unset();  Close the session session_destroy();

Don't forget to delete cookies setcookie('cookieName','',1);

Assignment # 8  I must be able to register and login to your website.  http://xkcd.com/936/  http://b.web.umkc.edu/bitners/490wd/assignment8.html