Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29

7/30/2019 Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29

1/21

CHAPTER15

User

Authentication

Chapter 20

Stobart and Parsons


2/21

SECTION 1

User Authentication

Websites allow user's to login for various

reasons:

To perform transactions

To post information

To view confidential information

Users are usually authenticated using

passwords. Passwords are stored in a database as

strings, e.g:

CREATE TABLE users (

username varchar(32) NOT NULL,

password varchar(32) NOT NULL,

PRIMARY KEY (username),

KEY (password));

Both the username and password are keys(i.e. indexed) which makes it quicker to

search for a username/password

combination.

Password encryption

The password must be encrypted.

The safest form of password encryption is a

one-way cipher.

A one-way cipher can never be decrypted.

How do we know if the user has entered the

correct password if the stored passwordcan't be decrypted?

272


3/21

273

Encrypted password: 7a3de5

Cipher

Stored password: 7a3de5

User login

Lookup

Username: Fred Password: abc123

Passwords

Match?

User Authentication Process


4/21

User Account Creation

When a user creates an account either a password is automatically generated or the user

selects one.

If the password is automatically generated the user should be encouraged to change it as soon

as possible.

Only the encrypted version of the password is stored in the database.

Encryption

The PHP function crypt() can be used to encrypt the password.

crypt() performs a one-way encryption:

string crypt(string plaintext, [string salt])

The salt, which is optional, should be used since more than one user may choose the same

password.

Often the first two characters of the username are used as the salt.

The following function creates a new user account and encrypts the password:


5/21

$salt = substr($username, 0, 2);

$storedPassword = crypt($password, $salt);

$query = "insert into users (username, password, ...) " .

"values ('$username', '$storedPassword', ...)"

$results = mysql_query($query, $connection) or show_error();

}

?>

Note that since crypt() is a one-way function it is not suitable for storing credit card numbers

since the original numbers can not be retrieved.

User Login

Once a user account has been created the user can login.

There are two UI approaches for user login:

1.Send a 401 "authorisation required" response back to the client which results in a small

dialog box that the user must complete to gain entry.

2.Users enter their username and password into a form which is submitted to the server.

275


6/21

WWW Authentication

The first method requires that PHP returns a 401 header as such:

header("HTTP/1.0 401 Authorization Required");

If the user presses Cancel the HTML returned will be displayed (which should indicate that

the user hasn't logged in).

If the user logs in it will reload the page with the user's credentials.

PHP stores the user's credentials in the $_SERVER global array with the keys

PHP_AUTH_USER and PHP_AUTH_PW

The following example demonstrates 401 authentication:

276


7/21

http://dwarf.ict.griffith.edu.au/~s772824/examples/basic_auth/

This method of user authentication is used less frequently mainly for aesthetic reasons.

277
http://dwarf.ict.griffith.edu.au/~s772824/examples/basic_auth/http://dwarf.ict.griffith.edu.au/~s772824/examples/basic_auth/


8/21

User Login Form

The user login form should have fields for the username and password.

The password field should be oftype="password", which hides the password from the

user.

The username and password will be sent to the server in the clear, to encrypt the form

contents use https://

The following function encrypts the password the user typed in and compares the username

and encrypted password with that stored in the table:


9/21

"AND password = '$encryptedPassword'";

$result = mysql_query($query, $connection) or show_error();

return (mysql_num_rows($result) == 1);

}

?>

User Authorisation

User authentication is determining if the user is who they say they are.

User authorisation is determining if the user has permission.

Some pages in your application may not be accessible by the logged in user, or require a user

to be logged in to view them.

If a user isn't logged in, or doesn't have the right permission level either an error can be

displayed or a version of the page displayed which has limited functionality.

Once a user has logged in the web application must remember that the user is logged in for

each page visited.

The currently logged in user should be stored in a session variable.

There is no need to store the password, only the username (or user id) needs to be stored.

279


10/21

Each web page may indicate at the top of the page the currently logged in user.

Either the username or the user's first or full name can be displayed.

If the information other than the username (such as first or full name) is displayed in each

page then it may be useful to store these in session variables for easy access.

If not, then the user table will need to be accessed on each page to retrieve the user's details.

280


11/21

SECTION 2

External Authentication

OpenID and OAuth allow users to be

authenticated with an existing username

and password from a different system.

Examples of websites that support OpenID

or OAuth:

Google

Facebook

LinkedIn

281


12/21

Advantages of External

Authentication:

Users don't need to create a new username

and password

Users don't need to re-enter common

information

Account can be linked to the other service

provider providing additional features, e.g.

post to Facebook (only with OAuth)

OpenID or OAuth?

OpenID is used solely to identify the user

OAuth is a mechanism that allows a website

to access the services of another website

(e.g. post to Facebook)

OAuth 2.0 authentication

OAuth authentication requires that the

client website registers with an OAuth

provider website.

In the case of Facebook, you would need to

register an 'app' with Facebook.

Facebook provides you with anApp ID

which is used to identify your application

Your website launches the Facebook

authentication dialog which handscontrol over to Facebook.

The user logs in (if they aren't already) and

authorises the app.

If authentication and authorisation

successful Facebook redirects to a URLspecified by your website with an access

token that must be passed to every

interaction with Facebook and eventually

expires.

282


13/21

OAuth 2.0 Authentication Process

283


14/21

SECTION 3

Two-factor Authentication

Until recently the most common form of

user authentication is through passwords.

Password authentication has a number of

problems:

Good passwords must be long and

complex and hence difficult to

remember.

Users often use simple passwords orrecord them somewhere.

Simple passwords are easy to crack.

Password authentication is prone to

phishing attacks.

Two-factor Authentication

Two-factor authentication requires another

form of authentication in addition to the

password.

There are three categories of

authentication:

Something the user knows

Something the user has

Something the user is

A user's password fits into the first

category, something the user knows.

Asking a user additional questions will still

be prone to phishing attacks, another form

of authentication is required.

284


15/21

On-line Bank Authentication

Two-factor authentication is more

cumbersome than simple password

authentication.

As a result many services only require two-

factor authentication for certain operations.

For example, with on-line banking, the user

only needs their password to log in, view

account balances and transfer funds

between their own accounts. However, if money is transferred to an

account which is not theirs then two-factor

authentication is used.

The most common form of two-factor

authentication is to send a one-time

password (OTP) to a mobile phone.

This is authenticates "something the user

has", i.e. the mobile phone.

Another common "something the user has"

is a one-time password dongle such as

YubiKey which generates a password which

is sent and authenticated with a server.

Biometric Authentication

Biometrics such as fingerprint scanning fall

under the category of "something the useris".

Biometric authentication may be simpler

and quicker than other forms of

authentication.

285


16/21

CHAPTER16

Transaction

Processing

Chapter 20

Elmasri and Navathe


17/21

SECTION 1

Transaction Processing

When multiple users are concurrently

accessing and updating the same database,

incorrect results can be returned andincorrect updates can be performed unless

special care is taken.

Examples

In these examples, two or more

transactions - sequences of operations -

are performed concurrently.

An interleaved set of transactions - a

sequence of operations from multiple

transactions - is called a schedule.

Example 1: Banking

Suppose X = 100.

T1: Read X, Add 10 to X, Write X T2: Read X, Add 20 to X, Write X

More precisely, each transaction reads X

into a local variable, updates the local

variable, then writes the local variable to X.

Schedule:

(1) Read X = 100

(1) Add 10 to X = 110

(2) Read X = 100

(2) Add 20 to X = 120

(2) Write X = 120

(1) Write X = 110

After this schedule, X has value 110. But

after either T1 - T2 or T2 - T1, it should have

value 130.

287


18/21

Example 2: Summation

Suppose the database contains data items

X1 to X4 with values 10 to 40. Transaction

T1 computes the sum of all data items in the

database. Transaction T2 deletes item X1and inserts item X5 with value 50. The sum

computed by T1 should be either 100 or

140. But consider the following schedule:

(1) Read X1

(1) Read X2(1) Read X3

(2) Delete X1

(2) Insert X5

(1) Read X4

(1) Read X5

(1) Write Sum (of X1 to X5)

This schedule writes the Sum 150 to the

database. But this does not correspond to

any possible state of the database.

Example 3: User registration

Suppose transactions T1 and T2 each insert

a new user (with the same name) into the

database. Each transaction should have the

following structure:

Get name (and details) from form;

if (name is not in the database) {...

Insert the name (and details)

into the database;

}

If T1 and T2 are executed concurrently, it is

possible that each will determine the (same)

name is not in the database, and each will

then insert the (same) name into the

database, resulting in two occurrences of

the name in the database.

288


19/21

ACID Properties of Transactions

Atomicity

A transaction is an atomic unit of

processing. It should either be

performed in its entirety or not

performed at all.

Consistency

If a transaction is completely executed

from beginning to end it should leave the

database in a consistent state.

Isolation

A transaction should appear as though it

is being executed in isolation from other

transactions, even though many

transactions are executing concurrently.

Durability

The changes applied to the database by a

committed transaction must persist in

the database.

A database management system that

ensures transactions satisfy theseconditions is calledACID-compliant.

Serialisation

To ensure the ACID properties are satisfied,

schedules must be serialisable.

i.e., even if operations of two or moretransactions (e.g., T1, T2, T3) are

interleaved, the overall effect must be the

same as if they were executed in some serial

order (e.g., T1 - T3 - T2).

Serialisation is normally implemented

using locks.

Locks restrict access to data items (tuples,

pages, tables).

289


20/21

Aread lock on an item allows other

concurrent processes to read the item but

prevents other processes from writing the

item.

Awrite lock on an item prevents otherprocesses from reading or writing the item.

Two-phase Locking

To ensure schedules are serialisable, the

two-phase locking protocol must beused:

Acquire all locks before releasing any locks.

To ensure schedules are serialisable, avoid

deadlocks, are recoverable, and have other

desirable properties, the strict two-phaselocking protocol must be used:

Acquire all locks before releasing any locks,

and maintain all write locks until the end of

the transaction.

Locks in MySQL

In MySQL versions before 4.0, read and

write locks had to be explicitly obtained and

released.

These locking and unlocking commands are

sent to the database server from the PHP

script.

The commands are:

LOCK TABLE name READ

LOCK TABLE name WRITE

UNLOCK TABLE name

UNLOCK TABLES

Note that the only data items that can be

locked are complete tables.

Commercial databases perform locking atthe page or row level, which allows more

parallelism.

290


21/21

In MySQL versions from 4.0 onwards, with the InnoDB storage engine, the higher level SQL

commands may be used:

START TRANSACTION

COMMIT

ROLLBACK

The normal pattern of usage in a PHP script is the following:

Much easier! (But you still need to be careful to include all required operations inside the

transaction.)

291

Documents

Lecture+8+ +User+Authentication+and+Transaction+Processing+%282%29