sana mateen, profile picture
Uploaded bysana mateen
905 views

Authentication methods

This document discusses different methods for authenticating users, including HTTP authentication, PHP authentication, and hard-coded authentication. HTTP authentication uses a 401 response to prompt for username and password, but does not encrypt the credentials. PHP authentication uses the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables to store and validate credentials. Hard-coded authentication checks credentials directly in the code, but has drawbacks like all users sharing the same credentials and difficulty changing them. The document also discusses using Apache .htaccess files and the header() and isset() PHP functions to implement authentication.

Embed presentation

Authenticating Your Users BY SANA MATEEN
HTTPAuthentication Concepts • The HTTP protocol offers a fairly effective means for user authentication, with a typical authentication scenario proceeding like this: 1. The client requests a restricted resource. 2. The server responds to this request with a 401 (Unauthorized access) response message. 3. The browser recognizes the 401 response and produces a pop-up authentication prompt . All modern browsers are capable of understanding HTTP authentication and offering appropriate capabilities, including Internet Explorer, Netscape Navigator, Mozilla Firefox, and Opera. 4. The user-supplied credentials (typically a username and password) are sent back to the server for validation. If the user supplies correct credentials, access is granted; otherwise it’s denied. 5. If the user is validated, the browser stores the authentication information within its cache. This cache information remains within the browser until the cache is cleared, or until another 401 server response is sent to the browser.
Limitation • Although HTTP authentication effectively controls access to restricted resources, it does not secure the channel in which the authentication credentials travel. • That is, it is possible for a well-positioned attacker to sniff, or monitor, all traffic taking place between a server and a client, and within this traffic are the unencrypted username and password. • To eliminate the possibility of compromise through such a method, you need to implement a secure communications channel, typically accomplished using Secure Sockets Layer (SSL). • SSL support is available for all mainstream web servers, including Apache and Microsoft Internet Information Server (IIS).
Using Apache’s .htaccess Feature • Blanket access control • The simplest form of access control is to authorize certain users for either read-only access to a repository or read/write access to a repository. • You’ll take advantage of this feature by creating a file named .htaccess and storing it within the directory you’d like to protect. Therefore, if you’d like to restrict access to an entire website, place this file within your site’s root directory. • In its simplest format, the .htaccess file’s contents look like this: • AuthUserFile /path/to/.htpasswd • AuthType Basic • AuthName "My Files" • Require valid-user • Replace /path/to with the path that points to another requisite file named .htpasswd. • This file contains the username and password which the user must supply in order to access the restricted content. • However, as a reference, the typical .htpasswd file looks like this: • admin:TcmvAdAHiM7UY • client:f.i9PC3.AtcXE • Each line contains a username and password pair, with the password encrypted to prevent prying eyes from potentially obtaining the entire identity. • When the user supplies a password, Apache will encrypt the provided password using the same algorithm originally used to encrypt the password stored in the .htpasswd file, comparing the two for equality.
Authenticating Your Users with PHP • PHP’s Authentication Variables • PHP uses two predefined variables to authenticate a user: $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. These variables store the username and password values, respectively. • While authenticating is as simple as comparing the expected username and password to these variables • Both variables must be verified at the start of every restricted page. You can easily accomplish this by authenticating the user prior to performing any other action on the restricted page, which typically means placing the authentication code in a separate file and then including that file in the restricted page using the require() function. • These variables do not function properly with the CGI version of PHP. • Useful Functions Two standard functions are commonly used when handling authentication via PHP: header() and isset(). Both are introduced in this section.
Sending HTTP Headers with header() • The header() function sends a raw HTTP header to the browser. The header parameter specifies the header information sent to the browser. Its prototype follows: • void header(string header [, boolean replace [, int http_response_code]]) • The optional replace parameter determines whether this information should replace or accompany a previously sent header. Finally, the optional http_response_code parameter defines a specific response code that will accompany the header information. • Applied to user authentication, this function is useful for sending the WWW authentication header to the browser, causing the pop-up authentication prompt to be displayed. • It is also useful for sending the 401 header message to the user if incorrect authentication credentials are submitted.
Determining if a Variable is Set with isset() • The isset() function determines whether a variable has been assigned a value. Its prototype follows: • boolean isset(mixed var [, mixed var [,...]]) • It returns TRUE if the variable contains a value and FALSE if it does not. • As applied to user authentication, the isset() function is useful for determining whether the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables are properly set.
Hard-Coded Authentication • The simplest way to restrict resource access is by hard-coding the username and password directly into the script. • In the example shown in next slide, if $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are equal to client and secret, respectively, the code block will not execute, and anything ensuing that block will execute. • Otherwise, the user is prompted for the username and password until either the proper information is provided or a 401 Unauthorized message is displayed due to multiple authentication failures. • Drawbacks: • Foremost, all users requiring access to that resource must use the same authentication pair • Second, changing the username or password can be done only by entering the code and making the manual adjustment. The next two methodologies remove these issues.
Authentication methods

More Related Content

PDF
Authentication techniques
byIGZ Software house
 
PPTX
User authentication
byCAS
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
JavaScript - Chapter 11 - Events
byWebStackAcademy
 
PPT
Email Security : PGP & SMIME
byRohit Soni
 
PDF
An introduction to X.509 certificates
byStephane Potier
 
PPT
Digital signature
byHossain Md Shakhawat
 
PPTX
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 
Authentication techniques
byIGZ Software house
 
User authentication
byCAS
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
JavaScript - Chapter 11 - Events
byWebStackAcademy
 
Email Security : PGP & SMIME
byRohit Soni
 
An introduction to X.509 certificates
byStephane Potier
 
Digital signature
byHossain Md Shakhawat
 
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 

What's hot

PPTX
Cyber security
byManjushree Mashal
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
Kerberos
bySutanu Paul
 
PDF
Public key Infrastructure (PKI)
byVenkatesh Jambulingam
 
PPTX
public key infrastructure
byvimal kumar
 
PPT
Security tools
byarfan shahzad
 
PPT
Symmetric and Asymmetric Encryption.ppt
byHassanAli980906
 
PPTX
Malicious Software
byHamza Muhammad
 
PPTX
Password craking techniques
byأحلام انصارى
 
PPTX
Email security
byBaliram Yadav
 
PPT
Network security
byAli Kamil
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PPTX
Public Key Cryptography
byGopal Sakarkar
 
PPT
Block Cipher and its Design Principles
bySHUBHA CHATURVEDI
 
PPTX
Secure Socket Layer (SSL)
bySamip jain
 
PPTX
System security
byinvertis university
 
PPTX
Symmetric and asymmetric key
byTriad Square InfoSec
 
PPTX
Block cipher modes of operation
byharshit chavda
 
PPTX
Internet security protocol
byMousmi Pawar
 
PPT
Authentication Application in Network Security NS4
bykoolkampus
 
Cyber security
byManjushree Mashal
 
SQL INJECTION
byAnoop T
 
Kerberos
bySutanu Paul
 
Public key Infrastructure (PKI)
byVenkatesh Jambulingam
 
public key infrastructure
byvimal kumar
 
Security tools
byarfan shahzad
 
Symmetric and Asymmetric Encryption.ppt
byHassanAli980906
 
Malicious Software
byHamza Muhammad
 
Password craking techniques
byأحلام انصارى
 
Email security
byBaliram Yadav
 
Network security
byAli Kamil
 
Malware analysis
byPrakashchand Suthar
 
Public Key Cryptography
byGopal Sakarkar
 
Block Cipher and its Design Principles
bySHUBHA CHATURVEDI
 
Secure Socket Layer (SSL)
bySamip jain
 
System security
byinvertis university
 
Symmetric and asymmetric key
byTriad Square InfoSec
 
Block cipher modes of operation
byharshit chavda
 
Internet security protocol
byMousmi Pawar
 
Authentication Application in Network Security NS4
bykoolkampus
 

Similar to Authentication methods

PDF
Ch 6: Attacking Authentication
bySam Bowne
 
PPTX
Session management
byDhruv Aggarwal
 
PPTX
Chapter 1.Web Techniques_Notes.pptx
byShitalGhotekar
 
PDF
Security in php
byJalpesh Vasa
 
PDF
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
PPTX
Secure programming with php
byMohmad Feroz
 
PDF
Securing the Apache web server
bywebhostingguy
 
PDF
Securing the Apache web server
bywebhostingguy
 
PDF
Http and security
byNikola Milosevic
 
PPT
Apache Web Server Setup 4
byInformation Technology
 
PPTX
Cm2 secure code_training_1day_data_protection
bydcervigni
 
PPT
Presentation (PPT)
bywebhostingguy
 
PDF
Apache2 BootCamp : Restricting Access
byWildan Maulana
 
PDF
PHP Making Web Forms
bykrishnapriya Tadepalli
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
PPTX
Secure coding | XSS Attacks on current Web Applications
byn|u - The Open Security Community
 
PPT
Htaccess info
byumakant jadhav
 
ODP
LAMP security practices
byAmit Kejriwal
 
PDF
Session4-Authentication
byzakieh alizadeh
 
PPTX
Securing your web apps now
byStephan Steynfaardt
 
Ch 6: Attacking Authentication
bySam Bowne
 
Session management
byDhruv Aggarwal
 
Chapter 1.Web Techniques_Notes.pptx
byShitalGhotekar
 
Security in php
byJalpesh Vasa
 
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
Secure programming with php
byMohmad Feroz
 
Securing the Apache web server
bywebhostingguy
 
Securing the Apache web server
bywebhostingguy
 
Http and security
byNikola Milosevic
 
Apache Web Server Setup 4
byInformation Technology
 
Cm2 secure code_training_1day_data_protection
bydcervigni
 
Presentation (PPT)
bywebhostingguy
 
Apache2 BootCamp : Restricting Access
byWildan Maulana
 
PHP Making Web Forms
bykrishnapriya Tadepalli
 
Web security and OWASP
byIsuru Samaraweera
 
Secure coding | XSS Attacks on current Web Applications
byn|u - The Open Security Community
 
Htaccess info
byumakant jadhav
 
LAMP security practices
byAmit Kejriwal
 
Session4-Authentication
byzakieh alizadeh
 
Securing your web apps now
byStephan Steynfaardt
 

More from sana mateen

PPTX
Files in php
bysana mateen
 
PPTX
PHP Variables and scopes
bysana mateen
 
PPTX
Php and web forms
bysana mateen
 
PPTX
Xml dtd
bysana mateen
 
PPTX
File upload php
bysana mateen
 
PPTX
Dom parser
bysana mateen
 
PPTX
Php intro
bysana mateen
 
PPTX
Xml dom
bysana mateen
 
PPTX
Unit 1-uses for scripting languages,web scripting
bysana mateen
 
PPTX
Unit 1-subroutines in perl
bysana mateen
 
PPTX
Unit 1-scalar expressions and control structures
bysana mateen
 
PPTX
Encryption in php
bysana mateen
 
PPTX
Xhtml
bysana mateen
 
PPTX
Unit 1-strings,patterns and regular expressions
bysana mateen
 
PPTX
Unit 1-perl names values and variables
bysana mateen
 
PPTX
Files
bysana mateen
 
PPTX
Intro xml
bysana mateen
 
PPTX
Xml schema
bysana mateen
 
PPTX
Regex posix
bysana mateen
 
PPTX
Mail
bysana mateen
 
Files in php
bysana mateen
 
PHP Variables and scopes
bysana mateen
 
Php and web forms
bysana mateen
 
Xml dtd
bysana mateen
 
File upload php
bysana mateen
 
Dom parser
bysana mateen
 
Php intro
bysana mateen
 
Xml dom
bysana mateen
 
Unit 1-uses for scripting languages,web scripting
bysana mateen
 
Unit 1-subroutines in perl
bysana mateen
 
Unit 1-scalar expressions and control structures
bysana mateen
 
Encryption in php
bysana mateen
 
Xhtml
bysana mateen
 
Unit 1-strings,patterns and regular expressions
bysana mateen
 
Unit 1-perl names values and variables
bysana mateen
 
Files
bysana mateen
 
Intro xml
bysana mateen
 
Xml schema
bysana mateen
 
Regex posix
bysana mateen
 
Mail
bysana mateen
 

Recently uploaded

PDF
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
PDF
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
PDF
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
PDF
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
PPTX
Finals - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
PPTX
Screening and Selecting Studies for Systematic Review Dr Reginald Quansah
bySystematic Reviews Network (SRN)
 
PDF
Digital Electronics – Registers and Their Applications
byGS Virdi
 
PDF
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
PPTX
Masterclass on Cybercrime, Scams & Safety Hacks.pptx
bykalkidirwhytap
 
PDF
LH_Lecture Note on Spices , AI And Importance in Human Life.pdf
bybisensharad
 
PPTX
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 
PPTX
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
PPTX
Quarter 3 lesson 2 of English Grade 8.pptx
byMamGamino
 
PPTX
Declaration of Helsinki Basic principles in medical research ppt.pptx
byRanikonde
 
PPTX
Time Series Analysis - Method of Simple Moving Average 3 Year and 4 Year Movi...
bySundar B N
 
PPTX
SEMESTER 5 UNIT- 1 Difference of Children and adults.pptx
bysachin7989
 
PPTX
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
PPTX
Elderly in India: The Changing Scenario.pptx
byMonika
 
PPTX
Time Series Analysis - Weighted (Unequal) Moving Average Method
bySundar B N
 
PPTX
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
Finals - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
Screening and Selecting Studies for Systematic Review Dr Reginald Quansah
bySystematic Reviews Network (SRN)
 
Digital Electronics – Registers and Their Applications
byGS Virdi
 
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
Masterclass on Cybercrime, Scams & Safety Hacks.pptx
bykalkidirwhytap
 
LH_Lecture Note on Spices , AI And Importance in Human Life.pdf
bybisensharad
 
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
Quarter 3 lesson 2 of English Grade 8.pptx
byMamGamino
 
Declaration of Helsinki Basic principles in medical research ppt.pptx
byRanikonde
 
Time Series Analysis - Method of Simple Moving Average 3 Year and 4 Year Movi...
bySundar B N
 
SEMESTER 5 UNIT- 1 Difference of Children and adults.pptx
bysachin7989
 
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
Elderly in India: The Changing Scenario.pptx
byMonika
 
Time Series Analysis - Weighted (Unequal) Moving Average Method
bySundar B N
 
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
In this document
Powered by AI

Introduction to the topic of user authentication by Sana Mateen.

Details the HTTP authentication process, including steps from client request to server access validation.

Mentions the lack of encryption in HTTP authentication, emphasizing the need for SSL to secure credentials.

Explains .htaccess for access control in Apache, detailing file setup for user authentication and encrypted passwords.

Describes PHP authentication variables and the need for user verification on restricted pages.

Details the header() function in PHP for sending HTTP headers, useful for triggering authentication prompts.

Explains the isset() function to check if authentication variables are set before user access.

Describes hard-coding authentication in scripts, highlighting drawbacks like lack of flexibility.

Authentication methods

  • 1.
  • 2.
    HTTPAuthentication Concepts • TheHTTP protocol offers a fairly effective means for user authentication, with a typical authentication scenario proceeding like this: 1. The client requests a restricted resource. 2. The server responds to this request with a 401 (Unauthorized access) response message. 3. The browser recognizes the 401 response and produces a pop-up authentication prompt . All modern browsers are capable of understanding HTTP authentication and offering appropriate capabilities, including Internet Explorer, Netscape Navigator, Mozilla Firefox, and Opera. 4. The user-supplied credentials (typically a username and password) are sent back to the server for validation. If the user supplies correct credentials, access is granted; otherwise it’s denied. 5. If the user is validated, the browser stores the authentication information within its cache. This cache information remains within the browser until the cache is cleared, or until another 401 server response is sent to the browser.
  • 3.
    Limitation • Although HTTPauthentication effectively controls access to restricted resources, it does not secure the channel in which the authentication credentials travel. • That is, it is possible for a well-positioned attacker to sniff, or monitor, all traffic taking place between a server and a client, and within this traffic are the unencrypted username and password. • To eliminate the possibility of compromise through such a method, you need to implement a secure communications channel, typically accomplished using Secure Sockets Layer (SSL). • SSL support is available for all mainstream web servers, including Apache and Microsoft Internet Information Server (IIS).
  • 4.
    Using Apache’s .htaccessFeature • Blanket access control • The simplest form of access control is to authorize certain users for either read-only access to a repository or read/write access to a repository. • You’ll take advantage of this feature by creating a file named .htaccess and storing it within the directory you’d like to protect. Therefore, if you’d like to restrict access to an entire website, place this file within your site’s root directory. • In its simplest format, the .htaccess file’s contents look like this: • AuthUserFile /path/to/.htpasswd • AuthType Basic • AuthName "My Files" • Require valid-user • Replace /path/to with the path that points to another requisite file named .htpasswd. • This file contains the username and password which the user must supply in order to access the restricted content. • However, as a reference, the typical .htpasswd file looks like this: • admin:TcmvAdAHiM7UY • client:f.i9PC3.AtcXE • Each line contains a username and password pair, with the password encrypted to prevent prying eyes from potentially obtaining the entire identity. • When the user supplies a password, Apache will encrypt the provided password using the same algorithm originally used to encrypt the password stored in the .htpasswd file, comparing the two for equality.
  • 6.
    Authenticating Your Userswith PHP • PHP’s Authentication Variables • PHP uses two predefined variables to authenticate a user: $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. These variables store the username and password values, respectively. • While authenticating is as simple as comparing the expected username and password to these variables • Both variables must be verified at the start of every restricted page. You can easily accomplish this by authenticating the user prior to performing any other action on the restricted page, which typically means placing the authentication code in a separate file and then including that file in the restricted page using the require() function. • These variables do not function properly with the CGI version of PHP. • Useful Functions Two standard functions are commonly used when handling authentication via PHP: header() and isset(). Both are introduced in this section.
  • 7.
    Sending HTTP Headerswith header() • The header() function sends a raw HTTP header to the browser. The header parameter specifies the header information sent to the browser. Its prototype follows: • void header(string header [, boolean replace [, int http_response_code]]) • The optional replace parameter determines whether this information should replace or accompany a previously sent header. Finally, the optional http_response_code parameter defines a specific response code that will accompany the header information. • Applied to user authentication, this function is useful for sending the WWW authentication header to the browser, causing the pop-up authentication prompt to be displayed. • It is also useful for sending the 401 header message to the user if incorrect authentication credentials are submitted.
  • 8.
    Determining if aVariable is Set with isset() • The isset() function determines whether a variable has been assigned a value. Its prototype follows: • boolean isset(mixed var [, mixed var [,...]]) • It returns TRUE if the variable contains a value and FALSE if it does not. • As applied to user authentication, the isset() function is useful for determining whether the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables are properly set.
  • 9.
    Hard-Coded Authentication • Thesimplest way to restrict resource access is by hard-coding the username and password directly into the script. • In the example shown in next slide, if $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are equal to client and secret, respectively, the code block will not execute, and anything ensuing that block will execute. • Otherwise, the user is prompted for the username and password until either the proper information is provided or a 401 Unauthorized message is displayed due to multiple authentication failures. • Drawbacks: • Foremost, all users requiring access to that resource must use the same authentication pair • Second, changing the username or password can be done only by entering the code and making the manual adjustment. The next two methodologies remove these issues.