Sessions, Cookies, & .htaccess

IT 210

Procedural Issues Quiz #3 Today! Homework #3 Due Friday at midnight

UML for Lab 4 Withdraw Deadline is Wed, Feb 8th

Resources and strategies when getting stuck?

Problem HTTP is stateless This causes problems when you want the

server to “remember” a user (e.g., checkout baskets, customized presentation).

This problem is solved by using cookies and sessions

Sessions and Cookies

Sessions and Cookies

PHP Sessions Remember: http is memoryless “Sessions” provide temporary memory for web

site access Created by server (e.g., PHP) Associative array (namevalue pairs) Expires after ~15 minutes of inactivity Removed when browser is closed

Stored in cookies or on query string. Query string doesn’t allow for back button and has

security problems UID, and program defined variables saved

Cookies are used for… Session Management Personalization Web analytics

Cookies Cookies

Small text file stored in a file on client (“cookie jar”) Name/value pairs with expiration date, location, &

source indicated. Can be secure (encrypted when HTTPS) or not

First party (from domain you’re visiting) vs Third Party (from different domain)

Session cookies (end when you close browser) vs persistent cookies (stored for long time and used when you revisit site)

Cookies Set with:

<?php //Calculate 60 days in the future //seconds * minutes * hours * days + current time

$inTwoMonths = 60 * 60 * 24 * 60 + time();setcookie('lastVisit', date("G:i - m/d/y"), $inTwoMonths);?>

Retrieve with:$_COOKIE

Our goal: secure login Secure? Use PHP to read form, and check the

results against a database If valid, set variable to ‘true’, otherwise ‘false’

Column Name Type Null Primary Key Extra

user_id int(8) No PK AUTO

username varchar(11) No    

password varchar(32) No    

What is .htaccess Method for remote web-server control Support multiple users A simple text file in a directory

Called .htaccess

.htaccess Built into Apache

Other servers have other means Disabled by default

Put file into a directory to make site settings Controlled by closest file in the hierarchy

Performance Hit If htaccess is turned on in Apache then

Apache will look in every directory for an htaccess file and read it if it is there. If a file is requested out of a directory

/www/htdocs/example, Apache must look for: /.htaccess /www/.htaccess /www/htdocs/.htaccess /www/htdocs/example/.htaccess

Lower file directives overrode higher ones

On the other hand … It does allow users to control their own

sub-directory tree without affecting others There are other ways to do this but they

require system-level access to Apache—which you may not want to give to users who each control their own sub-tree (website)

Use .htaccess to… Customize error messages Password protect sites Block access by IP addresses Block rippers and bots Prevent hot linking (e.g., another site to

embed images from your site)

Error messagesErrorDocument 400 /errors/badrequest.html ErrorDocument 401 /errors/authreqd.html ErrorDocument 403 /errors/forbid.html ErrorDocument 404 “Not here <em>bucko</em>!” ErrorDocument 500 /errors/serverx.html

Access control Modify .htaccess:

AuthUserFile /usr/local/myhome/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require valid-user

Now, create a password file

.htpasswd Put in a safe location Username, password pairs

Passwords are encrypted using a hash

Eg:It210:cwQgdU78tJoCc

See online site for generating passwords

Other commands Block IPs

order allow,denydeny from 123.45.6.7 deny from 012.34.5. allow from all

Block rippersRewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] RewriteCond %{HTTP_USER_AGENT} ^WebSauger RewriteRule ^.* - [F,L]

Finally Block hot links

These steal your intellectual property and your bandwidth!

RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?

mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg|js|css)$ - [F]