Professional Documents
Culture Documents
06 - Xy Ly Hop Thuc Phien Cookie Xac Thuc Va An Ninh
06 - Xy Ly Hop Thuc Phien Cookie Xac Thuc Va An Ninh
LP TRNH WEB
L nh Thanh B mn Mng v Truyn thng My tnh Khoa Cng ngh Thng tin Trng i hc Cng ngh, HQGHN E-mail: thanhld@vnu.edu.vn, thanhld.vnuh@gmail.com Mobile: 0987.257.504
Bi 5
Ni dung
X l hp thc Phin v cookie Xc thc v an ninh
Phn 1
X l hp thc
Tng quan
Mc ch
m bo d liu do ngi dng nhp y (trng bt buc) v ng n ( di, kiu, nh dng, phm vi). Thng bo li nu d liu nhp cha m bo cc rng buc trn. Ch lu d liu vo CSDL khi d liu c nhp v ng. m bo d liu nhp c lm sch, chuyn i v chun ha, v d chuyn ngy Vit thnh Anh lu CSDL, chun ha tn,
Kim tra cc trng bt buc nhp Lm sch, kim tra di, nh dng
Thc hin
Phi thc hin c client v server
Kim tra hp thc pha client: S dng javascript. L cch kim tra hiu qu (v truyn thng v thi gian thc hin) v thn thin (khng ti li trang, kim tra tng phn ngay khi va nhp xong) hn, tng c tng tc vi ngi dng. Kim tra hp thc pha server: Bng ngn ng kch bn. Khng th b qua kim tra pha server v kim tra pha client c th tht bi do trnh duyt b tt javacript.
L nh Thanh, Bi ging Lp trnh web.
$input = $_POST*tenThamso+ $input = $_GET*tenThamso+ empty($input): true nu $input rng is_numeric($input): true nu $input l s hoc biu din s intval($input): Ly gi tr nguyn ca $input floatval($input): Ly gi tr thc ca $input explode($deli, $s): Tch xu $s bi k t phn cch $deli substr($s, $b, $l): Ly xu con ca $s bao gm $l k t bt u t k t c ch mc $b
Phn 2
Phin v cookie
Cn tnh c nhn ha
V d: phi bit ngi dng no ang s dng cung cp ni dung ph hp
L nh Thanh, Bi ging Lp trnh web.
Cookie
Mt cookie l mt cp (tn, gi tr) To v s dng
Server gi cookie cho client (trong p ng cho yu cu trc) Client nh cookie v gi cookie cho server trong cc yu cu sau Server x l theo cookie nhn c
To v s dng cookie
Vic to v s dng cookie ging nh s dng s y b
Server == Bc s Client == Bnh nhn Cookie == Ni dung c ghi trong s y b Bc s ghi bnh l v n thuc vo s y b. Bnh nhn cm s y b v v em s y b n ti cc ln khm sau.
To cookie
Trnh duyt c th to cookie s dng javascript, nhng thng c server gi v bng t thuc tnh Setcookie trong tiu HTTP Response, v d
HTTP/1.0 200 Content-Length: 1276 Content-Type: text/html Date: Tue, 06 Nov 2001 04:12:49 GMT Expires: Tue, 06 Nov 2001 04:12:59 GMT Server: simwebs/3.1.6 Set-Cookie: animal=egg-laying-mammal <html>...</html>
L nh Thanh, Bi ging Lp trnh web.
To cookie
int setcookie(string name, [string value], [int expire], [string path], string domain, [int secure])
name: tn cookie value: gi tr ca cookie expire: thi im cookie ht hn path: ng dn trnh duyt s gi cookie domain: tn min trnh duyt s gi cookie secure: 1 ch truyn cookie qua kt ni an ton
L nh Thanh, Bi ging Lp trnh web.
S dng cookie
Trnh duyt nh cookie v gi cookie trong tiu ca cc requests tip sau, v d
GET /duck/bill.php HTTP/1.0 Connection: Keep-Alive Cookie: animal=egg-laying-mammal Host: www.webdatabasebook.com Referer: http://www.webdatabasebook.com/
Vn ca cookie
Kch thc request tng khi bao hm cookie Tnh an ninh khng cao Tnh ring t b vi phm do trnh duyt nh cookie
Phin
lu trng thi ng dng, server lu cc bin phin v gi cho client nh danh phin Trnh duyt bao gm nh danh phin trong cc yu cu sau, do vy server xc nh c trng thi ca giao tip hin ti gia server v trnh duyt Phin phi c thi gian ht hn (timeout). Phin b hy khi trnh duyt ngt kt ni
L nh Thanh, Bi ging Lp trnh web.
To v s dng phin
Vic to v s dng phin ging nh s dng s theo di bnh nhn
Server == Bc s Client == Bnh nhn Phin == Ni dung c ghi trong s theo di Bc s ghi bnh l v n thuc vo s theo di, cp cho bnh nhn th khm cha bnh (nh danh phin) nhng khng a s cho bnh nhn. Bnh nhn cm th v v em th n ti cc ln khm sau.
L nh Thanh, Bi ging Lp trnh web.
Hy phin
session_destroy( );
Khng nn
L nh Thanh, Bi ging Lp trnh web.
Phn 3
Xc thc v an ninh
Xc thc
Mc ch
Gii hn truy cp ng dng web: Ch cho ngi dng c cp quyn s dng
Thc hin
Xc thc HTTP Xc thc IP Xc thc s dng CSDL
Xc thc HTTP
Trnh duyt gi HTTP Request ln server Server tr li bng HTTP Response vi m 401 yu cu xc thc Trnh duyt cho ngi dng nhp tn s dng v mt khu, gi thng tin xc thc ln server Server gi ni dung trang web v cho trnh duyt
</Directory>
Thng tin xc thc bao gm tn s dng, mt khu, kiu xc thc c lu trong $_SERVER*PHP_AUTH_USER+, $_SERVER* PHP_AUTH_PW+, v $_SERVER*AUTH_TYPE + tng ng
L nh Thanh, Bi ging Lp trnh web.
Hn ch ca xc thc HTTP
Trnh duyt c th nh tn ng nhp v mt khu dn n c th truy cp li trang. Nu ngi dng khng nh tn ng nhp hoc mt khu th khng c cch g (v d s dng cu hi an ninh) tip tc s dng ti khon ng dng c th yu cu ng nhp nhiu ln. V d, vo mc ci t cn phi ng nhp li mt ln na
L nh Thanh, Bi ging Lp trnh web.
Xc thc IP
C th gii hn cc my (IP) c truy cp Ly a ch IP ca my chy trnh duyt $_SERVER*REMOTE_ADDR+ Kim tra IP
if (khongHople($_SERVER*REMOTE_ADDR+ ) ,
//dng v thng bo li //hoc chuyn sang trang khc
} else {
//m x l nghip v
}
L nh Thanh, Bi ging Lp trnh web.
V d xc thc IP
<?php if(strncmp("141.190.17", $REMOTE_ADDR, 10) != 0) { header("HTTP/1.0 403 Forbidden"); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> <head><title>Marketing Department</title></head> <body> <h2>403 Forbidden</h2> <p>You cannot access this page from outside the Marketing Department. </body> </html> <?php exit; } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> <head><<title>Marketing Department</title></head> <body>
} else { // trnh
//Thc hin xc thc CSDL //Nu xc thc thnh cng th t $_SESSION*username+ = $_POST*username+; $_SESSION*ip+ = $_SERVER*REMOTE_ADDR+; //chuyn sang trang chnh sau ng nhp
?>
L nh Thanh, Bi ging Lp trnh web.
} ?>
L nh Thanh, Bi ging Lp trnh web.
Bo v d liu
Nhng d liu quan trng c th c m ha trc khi lu vo CSDL. Lc c ra s dng cn c gii m
Phi s dng cc hm m ha hai chiu (m ha v gii m c) Khng s dng hm crypt() ca PHP hay password() ca MySQL v cc hm ny mt chiu (m ha c nhng khng gii m c)
S dng cc hm m ha ca PHP thuc th vin mcrypt hoc s dng cc hm encode() v decode() ca MySQL
L nh Thanh, Bi ging Lp trnh web.
Bn khch
Trnh duyt gi HTTP Request cho SSL SSL m ha HTTP Request v gi request c m ha cho SSL bn phc v
Bn phc v
SSL nhn request c m ha, gii m thnh HTTP request v gi HTTP request cho webserver
Bn phc v Webserver gi HTTP Response cho SSL SSL m ha HTTP Response v gi response c m ha cho SSL bn khch Bn khch SSL nhn response c m ha, gii m thnh HTTP Response v gi HTTP Response cho trnh duyt
Tip theo