Professional Documents
Culture Documents
Credential Management
Credential Management
SESSION MANAGEMENT
BROKEN AUTHENTICATION AND SESSION MANAGEMENT
1. Credential Management
2. Session Management
3. The rest (whatever doesn’t fit
in the first 2 categories)
BROKEN AUTHENTICATION AND SESSION MANAGEMENT
1. Credential Management
2. Session Management
3. The rest (whatever doesn’t fit
in the first 2 categories)
Password Strength
Password Use
Password In Transit
Password Storage
Password Recovery
CREDENTIAL MANAGEMENT
Password Strength
password is at risk!
CREDENTIAL MANAGEMENT
Password Strength
Password Strength
Password Use
Password In Transit
Password Storage
Password Recovery
CREDENTIAL MANAGEMENT
Password Use
Password Strength
Password Use
Password In Transit
Password Storage
Password Recovery
CREDENTIAL MANAGEMENT
Password In Transit
Password Strength
Password Use
Password In Transit
Password Storage
Password Recovery
CREDENTIAL MANAGEMENT
Password Storage
Example10-CredentialMgmt-signup.php
SIGNING UP USERS
</form>
<br>
<a href="Example26-login.php"> Already a member? Login </a>
in the database
<input type="hidden" name="form_token" value="<?php echo $form_token; ?>" />
SIGNING UP USERS
require 'Example24-getDBConnection.php';
require 'Example25-validateInputs.php';
SIGNING UP USERS
$error_message = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$error_message = validate_inputs($_POST['user_email'], $_POST['user_password']);
// If no errors then add the user to the database.
if (empty($error_message)) {
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$user_email = filter_var($_POST['user_email'], FILTER_SANITIZE_STRING);
$user_password = filter_var($_POST['user_password'], FILTER_SANITIZE_STRING);
try {
$conn = getDatabaseConnection();
$stmt = $conn->prepare(
"INSERT INTO `Users` (user_email, user_password) VALUES (?, ?)"
);
require 'Example24-getDBConnection.php';
require 'Example25-validateInputs.php';
SIGNING UP USERS
$error_message = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$error_message = validate_inputs($_POST['user_email'], $_POST['user_password'], $form_token);
// If no errors then add the user to the database.
if (empty($error_message)) {
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$user_email = filter_var($_POST['user_email'], FILTER_SANITIZE_STRING);
$user_password = filter_var($_POST['user_password'], FILTER_SANITIZE_STRING);
try {
$conn = getDatabaseConnection();
$stmt = $conn->prepare(
"INSERT INTO `Users` (user_email, user_password) VALUES (?, ?)"
);
$stmt->bind_param("ss", $user_email, sha1($user_password));
inputs
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
'Username already exists, please sign in or choose a different user name';
}
else {
$error_message =
'We are unable to process your request. Please try again later';
}
}
}
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
SIGNING UP USERS
$user_email = filter_var($_POST['user_email'], FILTER_SANITIZE_STRING);
$user_password = filter_var($_POST['user_password'], FILTER_SANITIZE_STRING);
try {
$conn = getDatabaseConnection();
$stmt = $conn->prepare(
"INSERT INTO `Users` (user_email, user_password) VALUES (?, ?)"
);
$stmt->bind_param("ss", $user_email, sha1($user_password));
$stmt->execute();
$stmt->close();
$conn->close();
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
SIGNING UP USERS
$user_email = filter_var($_POST['user_email'], FILTER_SANITIZE_STRING);
$user_password = filter_var($_POST['user_password'], FILTER_SANITIZE_STRING);
try {
$conn = getDatabaseConnection();
$stmt = $conn->prepare(
"INSERT INTO `Users` (user_email, user_password) VALUES (?, ?)"
);
$stmt->bind_param("ss", $user_email, sha1($user_password));
$stmt->execute();
$stmt->close();
$conn->close();
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
'Username already exists, please sign in or choose a different user name';
}
else {
SIGNING UP USERS
$user_email = filter_var($_POST['user_email'], FILTER_SANITIZE_STRING);
$user_password = filter_var($_POST['user_password'], FILTER_SANITIZE_STRING);
try {
$conn = getDatabaseConnection();
$stmt = $conn->prepare(
"INSERT INTO `Users` (user_email, user_password) VALUES (?, ?)"
);
$stmt->bind_param("ss", $user_email, sha1($user_password));
$stmt->execute();
$stmt->close();
$conn->close();
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
'Username already exists, please sign in or choose a different user name';
}
else {
$error_message =
'We are unable to process your request. Please try again later';
SIGNING UP USERS
$user_email = filter_var($_POST['user_email'], FILTER_SANITIZE_STRING);
$user_password = filter_var($_POST['user_password'], FILTER_SANITIZE_STRING);
try {
$conn = getDatabaseConnection();
$stmt = $conn->prepare(
"INSERT INTO `Users` (user_email, user_password) VALUES (?, ?)"
);
$stmt->bind_param("ss", $user_email, sha1($user_password));
$stmt->execute();
$stmt->close();
$conn->close();
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
'Username already exists, please sign in or choose a different user name';
SIGNING UP USERS
$stmt->bind_param("ss", $user_email, sha1($user_password));
$stmt->execute();
$stmt->close();
$conn->close();
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
'Username already exists, please sign in or choose a different user name';
}
else {
$error_message =
'We are unable to process your request. Please try again later';
}
}
}
}
?>
SIGNING UP USERS
$stmt->bind_param("ss", $user_email, sha1($user_password));
$stmt->execute();
$stmt->close();
$conn->close();
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
'Username already exists, please sign in or choose a different user name';
}
else {
$error_message =
'We are unable to process your request. Please try again later';
}
}
}
}
?>
SIGNING UP USERS
$stmt->bind_param("ss", $user_email, sha1($user_password));
$stmt->execute();
$stmt->close();
$conn->close();
} catch (Exception $e) {
// Duplicate entry for key is error 1062
if($e->getCode() == 1062) {
$error_message =
'Username already exists, please sign in or choose a different user name';
}
else {
$error_message =
'We are unable to process your request. Please try again later';
}
}
}
}
?>
Example11-CredentialMgmt-login.php
Example11-CredentialMgmt-loginSuccess.php
LOGIN AUTHENTICATED USERS
statement to variables
if (isset($continue_url)) {
header("Location: $continue_url");
} else {
header("Location: /security/Example11-CredentialMgmt-loginSuccess.php");
}
} else {
$error_message = 'Wrong user name or password provided!';
}
} else {
$error_message = 'Wrong user name or password provided';
LOGIN AUTHENTICATED USERS
$stmt = $conn->prepare(
"SELECT user_id, user_email, user_password FROM Users WHERE user_email = ?"
);
$stmt->bind_param("s", $user_email);
$stmt->execute();
$stmt->bind_result($user_id_db, $user_email_db, $user_password_db);
$user_valid = false;
while ($stmt->fetch()) {
if ($user_id_db) {
// Check if the password hashes are the same.
if (sha1($user_password) == $user_password_db) {
$_SESSION['logged_in_user'] = $user_id_db;
$continue_url = $_SESSION['continue_url'];
} else {
$error_message = 'Wrong user name or password provided';
}
}
);
$stmt->bind_param("s", $user_email);
}
strings will also match!
} else {
}
$error_message = 'Wrong user name or password provided';
);
$stmt->bind_param("s", $user_email);
} else {
$error_message = 'Wrong user name or password provided!';
}
$error_message = 'Wrong user name or password provided';
LOGIN AUTHENTICATED USERS
}
if (isset($continue_url)) {
header("Location: $continue_url");
} else {
header("Location: Example11-CredentialMgmt-loginSuccess.php");
}
} else {
$error_message = 'Wrong user name or password provided!';
}
} else {
$error_message = 'Wrong user name or password provided';
}
}
LOGIN AUTHENTICATED USERS
}
if (isset($continue_url)) {
header("Location: $continue_url");
} else {
header("Location: Example11-CredentialMgmt-loginSuccess.php");
}
} else {
$error_message = 'Wrong user name or password provided!';
}
} else {
$error_message = 'Wrong user name or password provided';
}
}
LOGIN AUTHENTICATED USERS
}
if (isset($continue_url)) {
header("Location: $continue_url");
} else {
header("Location: Example11-CredentialMgmt-loginSuccess.php");
}
} else {
$error_message = 'Wrong user name or password provided!';
}
} else {
$error_message = 'Wrong user name or password provided';
}
}
LOGIN AUTHENTICATED USERS
}
if (isset($continue_url)) {
header("Location: $continue_url");
} else {
header("Location: Example11-CredentialMgmt-loginSuccess.php");
}
} else {
$error_message = 'Wrong user name or password provided!';
}
} else {
}
}
There is one issue though - headers()
$error_message = 'Wrong user name or password provided';
LOGIN AUTHENTICATED USERS
}
if (isset($continue_url)) {
header("Location: $continue_url");
} else {
header("Location: Example11-CredentialMgmt-loginSuccess.php");
}
} else {
$error_message = 'Wrong user name or password provided!';
}
} else {
There is one issue though - headers()
}
}
have to be the very first thing sent
$error_message = 'Wrong user name or password provided';
Password Strength
Password Use
Password In Transit
Password Storage
Password Recovery
CREDENTIAL MANAGEMENT
Password Recovery
limited period
https
password reset page
no current password, current user name
CREDENTIAL MANAGEMENT
Password Recovery
1. Initialize and Notify
2. Protect the current account
3. Validation using tokens
4. User verification
5. Destroy tokens and notify
7. Login
8. Audit trail using logging
CREDENTIAL MANAGEMENT
User verification
The user needs to access and click on the
reset link in the email to continue with
the process - this should take him to a
secure page for password reset
2 FACTOR AUTHENTICATION OR
SECRET QUESTION AND ANSWER
CREDENTIAL MANAGEMENT
click on the reset link User verification
1. The user is a legit user
2 FACTOR AUTHENTICATION
2. Or a malicious who has access to a
legit user’s email
A security process which requires
How do we differentiate? 2
means of identification before users
are allowed to access secure data
Usually one AUTHENTICATION
2 FACTOR physical (card, numeric
OR
code)
SECRET and one memorized
QUESTION AND ANSWER
(password)
CREDENTIAL MANAGEMENT
click on the reset link User verification
1. The user is a legit user
SECRET QUESTION AND ANSWER
2. Or a malicious who has access to a
legit user’s email
How do we differentiate?
Once again treat these as you
would passwords! They should be
cryptographically secured
2 FACTOR AUTHENTICATION OR
SECRET QUESTION AND ANSWER
CREDENTIAL MANAGEMENT
click on the reset link User verification
2 factor authentication
or secret questions