06 - Xy Ly Hop Thuc Phien Cookie Xac Thuc Va An Ninh

Bi ging
LP TRNH WEB
L nh Thanh B mn Mng v Truyn thng My tnh Khoa Cng ngh Thng tin Trng i hc Cng ngh, HQGHN E-mail: thanhld@vnu.edu.vn, thanhld.vnuh@gmail.com Mobile: 0987.257.504
Bi 5
X l hp thc, phin v cookie, xc thc v an ninh
L nh Thanh, Bi ging Lp trnh web.
Ni dung
X l hp thc Phin v cookie Xc thc v an ninh
Phn 1
X l hp thc
Tng quan
Mc ch
m bo d liu do ngi dng nhp y (trng bt buc) v ng n ( di, kiu, nh dng, phm vi). Thng bo li nu d liu nhp cha m bo cc rng buc trn. Ch lu d liu vo CSDL khi d liu c nhp v ng. m bo d liu nhp c lm sch, chuyn i v chun ha, v d chuyn ngy Vit thnh Anh lu CSDL, chun ha tn,
Kim tra cc trng bt buc nhp Lm sch, kim tra di, nh dng
Thc hin
Phi thc hin c client v server
Kim tra hp thc pha client: S dng javascript. L cch kim tra hiu qu (v truyn thng v thi gian thc hin) v thn thin (khng ti li trang, kim tra tng phn ngay khi va nhp xong) hn, tng c tng tc vi ngi dng. Kim tra hp thc pha server: Bng ngn ng kch bn. Khng th b qua kim tra pha server v kim tra pha client c th tht bi do trnh duyt b tt javacript.
Kim tra kiu, min gi tr
Chuyn i nh dng /gi tr nu cn
Kim tra pha client

S dng style hoc text biu th cc trng buc phi nhp Hin th hng dn nhp nu cn C th kim tra b phn cho tng trng nhp ngay khi ngi dng nhp xong cho trng nhp (s dng s kin onkeyup, kim tra m k t l 13 (Enter) th kim tra) Nu vic kim tra cn c thng tin trn server (v d kim tra trng m) th dng iframe hoc AJAX gi d liu ln server v kim tra C th t ng in/thng bo mt s trng cn c d liu c nhp cc trng khc. V d t ng tnh v hin th tng im khi ngi dng thay i cc im thnh phn Thng bo li nhp liu
S dng span hin th thng bo li (thn thin) S dng alert hin th thng bo (khng thn thin, CH p dng cho cc li nghim trng) Sau khi bo li, c th t tm im vo i tng nhp liu cn nhp li
Cc hm javascript hu ch cho vic kim tra pha client

document.getElementById(id): Ly tham chiu i tng c nh danh l id document. getElementsByName(name): Tr v mng cc tham chiu n cc i tng c tn l name document. getElementsByTagName(tagname): Tr v mng cc tham chiu n cc i tng c kiu (th) tagname

str.substring(begin, end): Tr v xu con bao gm cc k t c ch mc t begin n end-1 ca xu str str.substring(begin): Tr v xu con bao gm cc k t c ch mc t begin n ht ca xu str str.split(deli): Tch xu str bi s dng xu ngn cch deli. Tr v mng cc xu kt qu

str. toUpperCase(): Tr v xu vit hoa ca str str. toLowerCase(): Tr v xu vit thng ca str isNaN(s): true nu s khng l biu din s parseInt(s): Gi tr nguyn ca biu din s parseFloat(s): Gi tr thc ca biu din s
Kim tra pha server

Ngay sau bc lm sch d liu (bng gi hm clean) Ch c th kim tra tng th Gi nguyn d liu nhp + m v thng bo li v client nu c li nhp liu Client hin th li form vi d liu nhp v cc thng bo
Cc hm PHP hu ch cho vic kim tra

$input = $_POST*tenThamso+ $input = $_GET*tenThamso+ empty($input): true nu $input rng is_numeric($input): true nu $input l s hoc biu din s intval($input): Ly gi tr nguyn ca $input floatval($input): Ly gi tr thc ca $input explode($deli, $s): Tch xu $s bi k t phn cch $deli substr($s, $b, $l): Ly xu con ca $s bao gm $l k t bt u t k t c ch mc $b
Cc hm PHP hu ch cho vic kim tra

date(d"), date(m"), date("Y"): Ly ngy, thng, nm hin ti time(): Ly thi gian hin ti ereg($exp, $input): Kim tra $input c nh dng nh biu thc $exp hay khng
$exp c dng ^(*charList]{acceptedLengths-$ V d: "^([0-9+,4,5-)$: S nguyn c 4 hoc 5 ch s "^([0-9]{2})/([0-9]{2})/([0-9+,4-)$: C dng ngy thng DD/MM/YYYY "^[0-9a-z~!#$%&_-]([.]?[0-9a-z~!#$%&_-])*@[0-9az~!#$%&_-]([.]?[0-9a-z~!#$%&_-+)*$: nh dng email
Phn 2
Phin v cookie
Trng thi ca ng dng

HTTP l giao thc phi trng thi
Mi yu cu (request) c x l c lp. Server khng nh trng thi ca cc x l trc
ng dng c th cn nh trng thi

Khi x l trn nhiu form, cn s tng tc phc tp
V d: chuyn qua nhiu trang khc nhau chn nhiu mt hng a vo gi hng
Cn tnh c nhn ha
V d: phi bit ngi dng no ang s dng cung cp ni dung ph hp
Cc phng php lu trng thi

Lu trng thi trnh duyt
S dng cookie
Lu trng thi server

S dng phin (session)
Cookie
Mt cookie l mt cp (tn, gi tr) To v s dng
Server gi cookie cho client (trong p ng cho yu cu trc) Client nh cookie v gi cookie cho server trong cc yu cu sau Server x l theo cookie nhn c
To v s dng cookie
Vic to v s dng cookie ging nh s dng s y b
Server == Bc s Client == Bnh nhn Cookie == Ni dung c ghi trong s y b Bc s ghi bnh l v n thuc vo s y b. Bnh nhn cm s y b v v em s y b n ti cc ln khm sau.
To cookie
Trnh duyt c th to cookie s dng javascript, nhng thng c server gi v bng t thuc tnh Setcookie trong tiu HTTP Response, v d
HTTP/1.0 200 Content-Length: 1276 Content-Type: text/html Date: Tue, 06 Nov 2001 04:12:49 GMT Expires: Tue, 06 Nov 2001 04:12:59 GMT Server: simwebs/3.1.6 Set-Cookie: animal=egg-laying-mammal <html>...</html>
To cookie
int setcookie(string name, [string value], [int expire], [string path], string domain, [int secure])
name: tn cookie value: gi tr ca cookie expire: thi im cookie ht hn path: ng dn trnh duyt s gi cookie domain: tn min trnh duyt s gi cookie secure: 1 ch truyn cookie qua kt ni an ton
S dng cookie
Trnh duyt nh cookie v gi cookie trong tiu ca cc requests tip sau, v d
GET /duck/bill.php HTTP/1.0 Connection: Keep-Alive Cookie: animal=egg-laying-mammal Host: www.webdatabasebook.com Referer: http://www.webdatabasebook.com/
X l theo cookie nhn c

Cookie c lu trong mng $_COOKIE Nu bt register_globals (trong php.ini), bin c tn cookie c khi to V d
$start = $_COOKIE*start+;
Vn ca cookie
Kch thc request tng khi bao hm cookie Tnh an ninh khng cao Tnh ring t b vi phm do trnh duyt nh cookie
Phin
lu trng thi ng dng, server lu cc bin phin v gi cho client nh danh phin Trnh duyt bao gm nh danh phin trong cc yu cu sau, do vy server xc nh c trng thi ca giao tip hin ti gia server v trnh duyt Phin phi c thi gian ht hn (timeout). Phin b hy khi trnh duyt ngt kt ni
To v s dng phin
Vic to v s dng phin ging nh s dng s theo di bnh nhn
Server == Bc s Client == Bnh nhn Phin == Ni dung c ghi trong s theo di Bc s ghi bnh l v n thuc vo s theo di, cp cho bnh nhn th khm cha bnh (nh danh phin) nhng khng a s cho bnh nhn. Bnh nhn cm th v v em th n ti cc ln khm sau.
ng k v s dng bin phin

Khi ng phin
session_start( );
S dng bin phin

$_SESSION*svName+;
Hy phin
session_destroy( );
Khi no nn/khng nn s dng bin phin

Nn
Tng hiu nng: Thc hin tnh ton phc tp mt ln, lu kt qu trong bin phin, s dng kt qu nhiu ln Cn chui cc tng tc: Ngi dng cn nhp liu trn nhiu giao din khc nhau, nu cn c th quay v giao din trc sa d liu c nhp giao din trc Kt qu trung gian: Nhiu kt qu trung gian nn c ghi nh cho cc tnh ton tip sau C nhn ha: Lu nh danh ngi dng dng bin phin, cn c vo nh danh ngi dng cung cp ni dung ph hp
Khng nn
Khi no nn/khng nn s dng bin phin

Nn Khng nn
Lu tr trn server: Nu lm dng s dng bin phin, server s phi dnh nhiu b nh lu An ninh: Hacker c th li dng phin thc hin cc tn cng
Phn 3
Xc thc v an ninh
Xc thc
Mc ch
Gii hn truy cp ng dng web: Ch cho ngi dng c cp quyn s dng
Thc hin
Xc thc HTTP Xc thc IP Xc thc s dng CSDL
Xc thc HTTP
Trnh duyt gi HTTP Request ln server Server tr li bng HTTP Response vi m 401 yu cu xc thc Trnh duyt cho ngi dng nhp tn s dng v mt khu, gi thng tin xc thc ln server Server gi ni dung trang web v cho trnh duyt
V d HTTP Response yu cu xc thc

HTTP/1.1 401 Authorization Required Date: Mon, 21 May 2001 23:40:54 GMT Server: Apache/1.3.19 (Unix) PHP/4.0.5 WWW-Authenticate: Basic realm="Marketing Secret Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>401 Authorization Required</TITLE> </HEAD><BODY> <H1>Authorization Required</H1> This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.<P> <HR> <ADDRESS>Apache/1.3.19 Server at dexter Port 80</ADDRESS> </BODY></HTML>
V d HTTP Request c thng tin xc thc

GET /auth/keys.php HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.51 [en] (WinNT; I) Host: localhost Accept: image/gif, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Authorization: Basic ZGF2ZTpwbGF0eXB1cw==
Xc thc HTTP bng cu hnh server

Cu hnh httpd.conf Apache thc hin xc thc HTTP <Directory thu_muc_duoc_bao_ve">
AuthType Basic/Digest AuthName "Secret Mens Business" AuthUserFile tep_luu_thong_tin_nguoi_dung require danh_sach_ten_nguoi_dung
</Directory>
AuthType: Basic (C bn) hoc Digest (Tm tt)

Xc thc HTTP bng m PHP

Dng hm header() thm yu cu xc thc vo HTTP response
header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized');
Thng tin xc thc bao gm tn s dng, mt khu, kiu xc thc c lu trong $_SERVER*PHP_AUTH_USER+, $_SERVER* PHP_AUTH_PW+, v $_SERVER*AUTH_TYPE + tng ng
V d xc thc HTTP bng m PHP

<?php if(!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate:Basic realm="Vui lng nhp tn s dng v mt khu."'); header('HTTP/1.0 401 Unauthorized'); exit; } else if (strcmp($_SERVER['PHP_AUTH_USER'], $username) != 0 || strcmp($_SERVER['PHP_AUTH_PW'], $password) != 0) { header('WWW-Authenticate:Basic realm="Tn s dng hoc mt khu khng ng. Vui lng nhp li."'); header('HTTP/1.0 401 Unauthorized'); exit; } ?>
Hn ch ca xc thc HTTP
Trnh duyt c th nh tn ng nhp v mt khu dn n c th truy cp li trang. Nu ngi dng khng nh tn ng nhp hoc mt khu th khng c cch g (v d s dng cu hi an ninh) tip tc s dng ti khon ng dng c th yu cu ng nhp nhiu ln. V d, vo mc ci t cn phi ng nhp li mt ln na
Xc thc IP
C th gii hn cc my (IP) c truy cp Ly a ch IP ca my chy trnh duyt $_SERVER*REMOTE_ADDR+ Kim tra IP
if (khongHople($_SERVER*REMOTE_ADDR+ ) ,
//dng v thng bo li //hoc chuyn sang trang khc
} else {
//m x l nghip v
}
V d xc thc IP
<?php if(strncmp("141.190.17", $REMOTE_ADDR, 10) != 0) { header("HTTP/1.0 403 Forbidden"); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> <head><title>Marketing Department</title></head> <body> <h2>403 Forbidden</h2> <p>You cannot access this page from outside the Marketing Department. </body> </html> <?php exit; } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> <head><<title>Marketing Department</title></head> <body>
Xc thc s dng CSDL

To bng ngi dng vi cc thuc tnh tn_s_dng v mt_khu S dng hm string crypt(string plainText [, string salt]) m ha mt khu trc khi lu hay truy vn CSDL // S dng 2 k t u ca tn_s_dng lm v $salt = substr($username, 0, 2); $stored_password = crypt($password, $salt);
Xc thc s dng CSDL

Cng c th s dng hm password() ca MySQL thc hin m ha, dng $update_query = "UPDATE users SET password = password($password) WHERE user_name = '$username'"; Tuy nhin, cch ny khng tt bng cch dng hm crypt() ca PHP v webserver chuyn bn r cho DBMS
Xc thc cho ng dng CSDL/web

Kt hp nu k thut
S dng bin phin lm thng tin xc thc Thit k mt trang ng nhp nh l ca vo duy nht thit lp phin Thit k trang ng xut hoc t timeout hy phin Xc thc s dng CSDL Xc thc IP
V d xc thc cho ng dng CSDL/web

Trang ng nhp l login.php Trang ng xut logout.php Bin phin $_SESSION[username] c dng lm thng tin xc thc sau xc thc CSDL Bin phin $_SESSION[ip] c dng xc thc ip

login.php <?php
session_start( ); //khi ng phin if (isset($_SESSION*username"+)) , // ng nhp thnh cng
//chuyn sang trang chnh sau ng nhp thnh cng header(Location: index.php);
} else { //cha ng nhp thnh cng

if (empty($_POST*username+)) , //cha trnh
//To form nhp v trnh tn s dng v mt khu
} else { // trnh
//Thc hin xc thc CSDL //Nu xc thc thnh cng th t $_SESSION*username+ = $_POST*username+; $_SESSION*ip+ = $_SERVER*REMOTE_ADDR+; //chuyn sang trang chnh sau ng nhp
} session_destroy( ); //hy phin
?>

B sung m sau vo u tt c cc trang khc login.php, logout.php
<?php //kim tra nu cha ng nhp thnh cng hoc ip b gi mo th quay v trang ng nhp if (!isset($_SESSION*username+ || (isset($_SESSION*username+ && $_SESSION*ip+ != $_SERVER*REMOTE_ADDR+)) ,
header("Location: login.php") ; exit( );
} ?>

logout.php
session_start( ); //hy cc bin phin unset($_SESSION*username+); unset($_SESSION*ip+); unset($username); unset($ip); //chuyn v trang ng nhp header("Location: login.php");
Bo v d liu
Nhng d liu quan trng c th c m ha trc khi lu vo CSDL. Lc c ra s dng cn c gii m
Phi s dng cc hm m ha hai chiu (m ha v gii m c) Khng s dng hm crypt() ca PHP hay password() ca MySQL v cc hm ny mt chiu (m ha c nhng khng gii m c)
S dng cc hm m ha ca PHP thuc th vin mcrypt hoc s dng cc hm encode() v decode() ca MySQL
S dng Secure Socket Layer (SSL)

Qu trnh gi yu cu Qu trnh p ng
Bn khch
Trnh duyt gi HTTP Request cho SSL SSL m ha HTTP Request v gi request c m ha cho SSL bn phc v
Bn phc v
SSL nhn request c m ha, gii m thnh HTTP request v gi HTTP request cho webserver
Bn phc v Webserver gi HTTP Response cho SSL SSL m ha HTTP Response v gi response c m ha cho SSL bn khch Bn khch SSL nhn response c m ha, gii m thnh HTTP Response v gi HTTP Response cho trnh duyt
TCP/IP chuyn cc gi SSL ch khng phi HTTP requests v HTTP responses
S dng Secure Socket Layer (SSL)

Trnh duyt gi yu cu bng giao thc https thay v http WebServer cn c cu hnh s dng SSL
Cu hnh Apache s dng SSL
Tip theo
X l nng cao vi AJAX, JQuery

06 - Xy Ly Hop Thuc Phien Cookie Xac Thuc Va An Ninh

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06 - Xy Ly Hop Thuc Phien Cookie Xac Thuc Va An Ninh

Uploaded by

Copyright:

Available Formats

Bi ging

X l hp thc, phin v cookie, xc thc v an ninh

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

Kim tra kiu, min gi tr

Chuyn i nh dng /gi tr nu cn

Kim tra pha client

L nh Thanh, Bi ging Lp trnh web.

Cc hm javascript hu ch cho vic kim tra pha client

Cc hm javascript hu ch cho vic kim tra pha client

Cc hm javascript hu ch cho vic kim tra pha client

L nh Thanh, Bi ging Lp trnh web.

Kim tra pha server

L nh Thanh, Bi ging Lp trnh web.

Cc hm PHP hu ch cho vic kim tra

L nh Thanh, Bi ging Lp trnh web.

Cc hm PHP hu ch cho vic kim tra

L nh Thanh, Bi ging Lp trnh web.

Trng thi ca ng dng

ng dng c th cn nh trng thi

Cc phng php lu trng thi

Lu trng thi server

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

X l theo cookie nhn c

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

ng k v s dng bin phin

S dng bin phin

L nh Thanh, Bi ging Lp trnh web.

Khi no nn/khng nn s dng bin phin

Khi no nn/khng nn s dng bin phin

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

L nh Thanh, Bi ging Lp trnh web.

V d HTTP Response yu cu xc thc

L nh Thanh, Bi ging Lp trnh web.

V d HTTP Request c thng tin xc thc

Xc thc HTTP bng cu hnh server

AuthType: Basic (C bn) hoc Digest (Tm tt)

Xc thc HTTP bng m PHP

V d xc thc HTTP bng m PHP

L nh Thanh, Bi ging Lp trnh web.

Xc thc s dng CSDL

Xc thc s dng CSDL

Xc thc cho ng dng CSDL/web

L nh Thanh, Bi ging Lp trnh web.

V d xc thc cho ng dng CSDL/web

L nh Thanh, Bi ging Lp trnh web.

V d xc thc cho ng dng CSDL/web

} else { //cha ng nhp thnh cng

} session_destroy( ); //hy phin

V d xc thc cho ng dng CSDL/web

V d xc thc cho ng dng CSDL/web

S dng Secure Socket Layer (SSL)

TCP/IP chuyn cc gi SSL ch khng phi HTTP requests v HTTP responses

L nh Thanh, Bi ging Lp trnh web.

S dng Secure Socket Layer (SSL)

L nh Thanh, Bi ging Lp trnh web.