sessions, cookies, &.htaccess it 210. procedural issues quiz #3 today! homework #3 due friday...
TRANSCRIPT
Sessions, Cookies, & .htaccess
IT 210
Procedural Issues Quiz #3 Today! Homework #3 Due Friday at midnight
UML for Lab 4 Withdraw Deadline is Wed, Feb 8th
Resources and strategies when getting stuck?
Problem HTTP is stateless This causes problems when you want the
server to “remember” a user (e.g., checkout baskets, customized presentation).
This problem is solved by using cookies and sessions
Sessions and Cookies
Sessions and Cookies
PHP Sessions Remember: http is memoryless “Sessions” provide temporary memory for web
site access Created by server (e.g., PHP) Associative array (namevalue pairs) Expires after ~15 minutes of inactivity Removed when browser is closed
Stored in cookies or on query string. Query string doesn’t allow for back button and has
security problems UID, and program defined variables saved
Cookies are used for… Session Management Personalization Web analytics
Cookies Cookies
Small text file stored in a file on client (“cookie jar”) Name/value pairs with expiration date, location, &
source indicated. Can be secure (encrypted when HTTPS) or not
First party (from domain you’re visiting) vs Third Party (from different domain)
Session cookies (end when you close browser) vs persistent cookies (stored for long time and used when you revisit site)
Cookies Set with:
<?php //Calculate 60 days in the future //seconds * minutes * hours * days + current time
$inTwoMonths = 60 * 60 * 24 * 60 + time();setcookie('lastVisit', date("G:i - m/d/y"), $inTwoMonths);?>
Retrieve with:$_COOKIE
Our goal: secure login Secure? Use PHP to read form, and check the
results against a database If valid, set variable to ‘true’, otherwise ‘false’
Column Name Type Null Primary Key Extra
user_id int(8) No PK AUTO
username varchar(11) No
password varchar(32) No
What is .htaccess Method for remote web-server control Support multiple users A simple text file in a directory
Called .htaccess
.htaccess Built into Apache
Other servers have other means Disabled by default
Put file into a directory to make site settings Controlled by closest file in the hierarchy
Performance Hit If htaccess is turned on in Apache then
Apache will look in every directory for an htaccess file and read it if it is there. If a file is requested out of a directory
/www/htdocs/example, Apache must look for: /.htaccess /www/.htaccess /www/htdocs/.htaccess /www/htdocs/example/.htaccess
Lower file directives overrode higher ones
On the other hand … It does allow users to control their own
sub-directory tree without affecting others There are other ways to do this but they
require system-level access to Apache—which you may not want to give to users who each control their own sub-tree (website)
Use .htaccess to… Customize error messages Password protect sites Block access by IP addresses Block rippers and bots Prevent hot linking (e.g., another site to
embed images from your site)
Error messagesErrorDocument 400 /errors/badrequest.html ErrorDocument 401 /errors/authreqd.html ErrorDocument 403 /errors/forbid.html ErrorDocument 404 “Not here <em>bucko</em>!” ErrorDocument 500 /errors/serverx.html
Access control Modify .htaccess:
AuthUserFile /usr/local/myhome/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require valid-user
Now, create a password file
.htpasswd Put in a safe location Username, password pairs
Passwords are encrypted using a hash
Eg:It210:cwQgdU78tJoCc
See online site for generating passwords
Other commands Block IPs
order allow,denydeny from 123.45.6.7 deny from 012.34.5. allow from all
Block rippersRewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] RewriteCond %{HTTP_USER_AGENT} ^WebSauger RewriteRule ^.* - [F,L]
Finally Block hot links
These steal your intellectual property and your bandwidth!
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?
mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg|js|css)$ - [F]