Javacrypt.com : 2

Main Menu

Home Page

Features

Wiki Pages

List galleries

List Blogs

File galleries

Forums

All articles

Use Case(s)

1. The application owner wants a solution where the user's password is not sent over the wire in plain text.
2. It is also desired to avoid the common weaknesses to session security.
3. The owner wants to be able to run more than one application from his domain and have session isolation.
4. There is a requirement that more than one user can be logged in at a time from the same workstation.
5. There is limited (if any) access to an HTTPS (encrypted session) server.

Table of Contents (click + to expand)

[+]

Setup

SystemComponent.php

In the "SystemComponent.php" file found in the /case1/includes/ directory (folder) you will have to adjust the various global settings for the project. These settings are accessed and used throughout the project.

        // System variables
        $settings['siteDir'] = '/case1/';//set to where the root of your project is.
                                          //keep the trailing slash so /case1/ for example

        // Database variables
        $settings['dbhost'] = 'localhost';// your host connection details
        $settings['dbusername'] = 'developer';//your user name
        $settings['dbpassword'] = 'password';// your password
        $settings['dbname'] = 'devdb';// your database name

If you fail to set the parameters correctly the symptoms you will experience will include the MYSQL warning such as: mysql_num_rows(): supplied argument is not a valid MySQL result resource. You will also need to create some tables or you will get similar errors.

case1_sqlcreate.sql

The file "case1_sqlcreate.sql" found in the /case1/ directory contains the SQL necessary to reproduce the tables and a few test users for the project.

Entries in the case1failedlogins table do not necessarily have to relate to an existing user's username since an incorrect username is also a reason to fail to log in. The main purpose of the table is to support limiting the number of failed logins over a period of time. For this purpose a client is identified either by a special sessionid saved in a cookie or by the client's IP address. The 'reason' for the login failure is saved as either an incorrect username (0) or an incorrect password (1). Users would not normally be given access to see this table, the 'reason' is there for administrative use.

The case1sessions table stores single use random session keys that have been assigned to a user during the authentication. The table is normally empty since the authentication process will remove an entry as soon as it is used. Any sessions that still exist after 5 minutes are also cleaned as there is a good chance they are orphaned from a system failure during authentication.

The users are kept in the case1users table. The createdtimestamp column would be populated by a user creation dialog normally. I have not implemented a user creation dialog for this demo. The accesslevel can be used to provide for access control to pages or content and would be part of an authorization module. For this demo I have not implemented access control to pages other than by determining if the user is authenticated or not.

page:2/10

Last articles

1)	PHP / MYSQL / Authentication
2)	Form Encryption Crypt30a
3)	File Archive and Cleanup using Perl
4)	EMail Error Messages in Perl
5)	CUPS - Common Unix Printing System - My Perl Scripts and Batch Projects

Last blog posts

1)	Admin Log: Articulation Wed 17 of Sep, 2008 [15:16 UTC]
2)	Admin Log: establish Wed 14 of May, 2008 [17:09 UTC]
3)	Admin Log: Initialize... Wed 07 of May, 2008 [18:52 UTC]

Last forum topics

1)	Bugs: Acrobat Feature

Top Images

1)	Bismarck
2)	perlmodules.pl screenshot
3)	basic_auth_use_case
4)	db_tables_auth_uml.JPG
5)	index_dynamic_framecode.jpg

Wiki

Blogs

Articles