NMD202 Web Scripting
Week8
What we will cover today
 Session and Cookies
 Exercises
 Authentication with PHP
 Exercises
 Assignment 1
Session and Cookies
Http protocol is stateless
Sessions and Cookies are used to pass along
user data from one page to another
Session
Sessions work by creating a unique
identification(UID) number for each visitor and
storing variables based on this ID.
This prevents two users data from conflicting
with one another when using the same system
Session
Before you can begin using the PHP session,
you must first start the session.
It must be at the very beginning of your code,
before any output is sent.
session_start();
Session
Start Session:
session_start();
registers the user's session with the server ie:
assigns a UID (unique identification number)
for that user's session.
Session
Store in the user session:
$_SESSION – a superglobal that holds an
associative array with all the variables stored in
the session
Session
<?php
session_start();
$_SESSION[‘username'] = ‘lsilva’;
?>
This snippet registers the string ‘lsilva’ in the
session using the key ‘username’
Session
Check to see if session variable exists:
isset($_SESSION[‘username'])
returns a boolean (true/false) that indicates if
the session is holding the data for the key
‘username’
Session
Sessions take server memory as the
information is stored by the hosting
environment.
It is good practice to dispose the session
variables when you do not need them.
Session
Dispose session data:
if(isset($_SESSION[username']))
unset($_SESSION['username']);
Session
Dispose the session:
session_start();
session_destroy();
Session
Dispose the session:
session_start();
session_destroy();
Cookies
A cookie is a small bit of information stored on
the client browser by request from a web page
Cookie information can be set read from php
Cookie information is limited: in general should
not exceed 1024 bytes
Cookies
As with the session cookies must be set before
any output is sent to the browser:
Cookies are available in the superglobal
$_COOKIES in the same way as $_SESSION
Cookies
Example:
<?php
if (!isset($_COOKIE["visits"])) {
setcookie("visits", 1);
echo "It appears that this is your first visit!";
} else {
setcookie("visits", ++$_COOKIE["visits"]);
echo "You have visited us $_COOKIE[visits] times!";
}
?>
Cookies
Security considerations:
Cookies are stored on the browser so do not
store any confidential information like
passwords.
Exercise
Create a login form for the student list system.
Check in every system page that the user is
authenticated before any output is sent
Hardcode the user name/password
combination in the configuration file
Tip: Set some session variables after successful login and check
them for authentication
PHP Authentication
There are very well known attacks to the
session in PHP, to know more research on:
Session Hijacking or Session Fixation
PHP Authentication
Hashes:
Algorithms that generates a unique output for
any input that is given.
• One way functions (cannot be reversed)
• Unique output (No collisions), ie for 2 different
inputs always 2 different outputs
•Examples: md5, sha1
PHP Authentication
Password in the system should never be stored
in clear text, use an algorithm like md5 to
create hashes:
Store Password:
$passwordHash = md5($_POST[‘password’]);
//Store hash in the database
Check Password:
If ($storedPassword = md5($_POST[‘password’]))
{
//User provided a good password
}
PHP Authentication
To Increase security use a salt in your hash:
$passwordHash = md5($_POST[‘password’] +
$_POST[‘username’]);
This will increase resilience against a brute
force attack
PHP Authentication
To increase security against session atacks
use cookies together with session.
For instance :
session_start();
If ($storedPassword = md5($_POST[‘password’]))
{
$_SESSION[‘hash'] = md5($_POST[‘password’]);
setcookie("hash", md5($_POST[‘password’]));
}
Then check if cookie equals stored session
If (isset($_SESSION[‘hash'] ) && $_COOKIE[‘hash']==$_SESSION[‘hash'])
{
//User is authenticated
}
Exercise
Create a username/password table and use it to store usernames
and password hashes.
Use http://md5-hash-online.waraxe.us/ to create hashes
Use cookies and sessions to confirm authentication.
Use a salt to harden your hashes (don’t forget to include the salt
when calculating hashes for the user table)