Scribd
Upload
28 views18 pages

Lab6. Session Management & Access Control

This document provides instructions for setting up session management and access control in a PHP application. The key steps include: 1. Setting up the codebase and database 2. Adding user accounts and testing registration 3. Implementing access control by checking for a username session variable on protected pages and redirecting if not present. 4. Adding a login form to submit credentials to a processing page which authenticates the user and sets the username session variable on success.

Uploaded by

mrkashash101
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
28 views18 pages

Lab6. Session Management & Access Control

This document provides instructions for setting up session management and access control in a PHP application. The key steps include: 1. Setting up the codebase and database 2. Adding user accounts and testing registration 3. Implementing access control by checking for a username session variable on protected pages and redirecting if not present. 4. Adding a login form to submit credentials to a processing page which authenticates the user and sets the username session variable on success.

Uploaded by

mrkashash101
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Practical 6

Session Management And Access Control


1. Preamble
Students will learn to perform session management and how access control are
implemented in applications. The following activities will be performed within the
SWAP Development VM.

Resources
1. session_mgmt_access_control.zip

2. Accessing the Tutorial


Please perform the following tasks in order to access the tutorial.

1. Launch the XAMPP control panel in SWAP Development VM

2. Start Apache and MySQL to start

3. Setup of Lab Environment


3.1. Setup of codebase
1. Extract content of “session_mgmt_access_control.zip” to the “C:\xampp\htdocs”
2. A “login” folder should be added to “C:\xampp\htdocs” as shown below:

Secure Web Applications Page 1 of 18


3. Launch the browser and access http://localhost/login. If the codebase is setup correctly,
the following screen should be displayed.

3.2. Create a PHP project with existing source


1. Click on File > New Projects from File System.

2. The following dialog will be displayed.

3. Select “Directory”, and browse to “C:\xampp\htdocs” and select the “login” folder.

4. Proceed to click “Finish” at the bottom of the dialog.

5. A project named “login” will be shown under “Project Explorer”.

Secure Web Applications Page 2 of 18


3.3. Setup of database
1. Review the “C:\xampp\htdocs\login\00dbsetup.php” in eclipse.

2. Codes drop the existing “ishop” database and recreate a new “ishop.users” table.
Running the php code will recreate “ishop” database
** You will need to manually delete the ishop in C:\xampp\mysql\data\mysql directories if you have an existing
one
3. Launch the browser and access http://localhost/login, the following screen should be
displayed.

4. Click on the “00dbsetup.php” to setup the database


5. The following screen will be shown when the setup is completed successfully.

Secure Web Applications Page 3 of 18


4. Setup Access Control
4.1. Setup of User Accounts
1. Review the “C:\xampp\htdocs\login\fxadduser.php” in eclipse. Codes insert records of
users into the “ishop.users” table in the database

2. Review the “C:\xampp\htdocs\login\01defaultadmin.php” in eclipse.

Secure Web Applications Page 4 of 18


3. Codes add a new user ”defaultadmin” into the “ishop.users” table by calling the adduser
function defined in fxadduser.php . Running the php code will create a new admin
account.

4. Review the “C:\xampp\htdocs\login\02defaultuser.php” in eclipse.

5. Codes add a new user ”defaultuser” into the “ishop.users” table by calling the adduser
function defined in fxadduser.php. Running the php code will create a new user account.

6. Review the “C:\xampp\htdocs\login\fxprintusers.php” in eclipse.

Secure Web Applications Page 5 of 18


7. Codes print out the list of users from the "ishop.users" table. Running the php code will
display the list of users in the “ishop.users”.
8. The following screen will be shown when the php page is requested.

4.2. Setup Registration of Users


1. Review the “C:\xampp\htdocs\login\registerform.php” in eclipse. Codes create a basic
form to submit information of new users.

2. Review the “C:\xampp\htdocs\login\registerdo.php” in eclipse. Codes process the


information submitted from the “registerform.php”.

Secure Web Applications Page 6 of 18


3. Run the “registerform.php”. The following page will be displayed.

4. Enter the necessary information and click on “Submit” button. The information will be
processed by “registerdo.php” The results of your submission will be displayed

5. Run the “fxprintusers.php” code to display the list of users. The new user should be
reflected in the results, like the screen below.

4.3. Setup of Access Control for Protected Resources

4.3.1. Review codes of unprotected pages


1. Review the “C:\xampp\htdocs\login\pagesunprotected.php” in eclipse. Codes print
some public information on the page. Note the “session_start()” at line 4 of the code, this

Secure Web Applications Page 7 of 18


function starts/resumes the session that the browser has with the web server. Having a
session does not indicate that the user is authenticated and authorized.

2. Run the “C:\xampp\htdocs\login\pagesunprotected.php” in browser. Public information


will be displayed on the page.

3. Run the “C:\xampp\htdocs\login\pagesunprotected.php” in browser. Public information


will be displayed on the page.

4. Review the codes of “C:\xampp\htdocs\login\browsercookie.php”. Codes display the


cookies within the browser that was obtained from the server.

Secure Web Applications Page 8 of 18


5. Run the “browsercookie.php” in the browser. A screen like the following screenshot will
be displayed. The cookie “PHPSESSID” indicates a session was started between the
browser and the server. Note: this does not indicate that the session is authenticated
or authorized.

4.3.2. Review codes of protected pages


1. Review the “C:\xampp\htdocs\login\pageprotected.php” in eclipse. Codes print
some public information on the page. Observed that the “session_start()” at line 4 of
the code, this function starts/resumes a session. Thereafter, the codes check for a
session variable “username”($_SESSON[‘username’]) . If the session variable
$_SESSON[‘username’] does not exist, the page will be displayed with the message
that the user has not logged in.

6. Run the “http://localhost\login\protectedpage.php” in browser. Observe that the page


display message indicating the user have not logged in. Also note that there is no session
variable by the name of “username”. Note that output of session variables and
cookies should be for debugging only.

7. Review the codes of “protectedpage.php” and “unprotectedpage.php”..Observe that


the additional codes used to enforce access control

Secure Web Applications Page 9 of 18


“protectedpage.php” and “unprotectedpage.php”..

Use https://onlinetextcompare.com/ ,drag and drop into the screen


8. Run the “browsercookie.php” in the browser. A screen like the following screenshot will
be displayed. The cookie “PHPSESSID” indicates a session was started between the
browser and the server.

4.4. Authentication and Access Control


1. Review the “C:\xampp\htdocs\login\loginform.php” in eclipse. Codes create two
textboxes where the user will key in username and password. When the “Sign In” button is
clicked. The page submits user inputs to the page “logindo.php”

2. Browse the page “http://localhost/login/loginform.php” in the browser. The following


page is displayed.

Secure Web Applications Page 10 of 18


3. Input the username and password of a valid user account, e.g. defaultadmin. Enter
“defaultadmin” in username field and “password” in password field. Click on “Sign in”
and the page will be submitted to “logindo.php”.

4. Review the code “C:\xampp\htdocs\login\logindo.php” in eclipse. Codes have 4


functions printmessage(), debug(), checkpost() and logindo(). The page calls the
logindo() to process the username and password provided from the “loginform.php”.

5. Once the processing is completed, the page shows the results like the following
screenshots.

Secure Web Applications Page 11 of 18


6. Click on the “Click to goto Login Done” at the bottom of the result page. The page
shows the results like the following screenshot. The page displays the information in the
session and cookies set. Note that the session has authorization information username
and role.

7. Review the code “C:\xampp\htdocs\login\logindone.php” in eclipse. Note the block of


codes that check the session variables (“username”) to determine if the user has logged in
successfully. This indicates how authentication is performed and the use of session
variables to determine authorized sessions.

Secure Web Applications Page 12 of 18


8. Access the protected resource at “http://localhost\login\pageprotected.php” in the
browser. The page displays results like the following screenshots. Note that the user can
now access the protected page which show the information within the $_SESSION. The
use of session variables (“username” and “roles”) are used to determine authorized
sessions and the appropriate access rights.

9. Access the public resource at “http://localhost\login\pageunprotected.php” in the


browser. Observe that the user is still able to access the public resource. Therefore, the
existence of the $_SESSION does not indicate authorized sessions. Instead, is the use of
session variables (“username” and “roles”) stored in $_SESSION to determine the
authorization level of the user.

Secure Web Applications Page 13 of 18


4.5. Termination of authenticated session
1. Review the “C:\xampp\htdocs\login\logout.php” in eclipse. Codes resume an existing
session and perform a “session_destroy()” to destroy the variable $_SESSION
completely include all session variables stored in $_SESSION.

2. Access the logout page at “http://localhost\login\logout.php” in the browser. The page


displays results like the following screenshots.

3. Access the protected resource at “http://localhost\login\pageprotected.php” in the


browser. The page displays results like the following screenshots. Note that the user can
now no longer access the protected page which show the information within the
$_SESSION. There are also not session variables (“username” and “roles”) in the
$_SESSION.

Secure Web Applications Page 14 of 18


10. Access the public resource at “http://localhost\login\pageunprotected.php” in the
browser. Observe that the user is still able to access the public resource.

11. Review the $_SESSION and $_COOKIE information. Observe that the session_id and
the cookies remains the same. Hence, session_id and cookies shall not be used to
determine authenticated session. Instead, session variables (e.g. “username” and
“role”) stored in the $_SESSION should be used to determine authenticated sessions.
Authenticated Session (Logged in) Unauthenticated Session (Logout)

4.6. Authorisation and Access Control


1. Review the page “C:\xampp\htdocs\login\page4users.php” in eclipse. Note additional
block of codes used to check session variables “username” and “role”. The session
variable “username” is used to determine if the session is authenticated, while the
session variable “role” is used to determine the authorization level. This page is only
authorized to the role of “user”

Secure Web Applications Page 15 of 18


2. Browse to the page “http://localhost/login/loginform.php” in the browser. The following
page is displayed.

3. Input the username and password of a valid account with only user role, e.g. defaultuser.
Enter “defaultuser” in username field and “password” in password field and sign in.
4. Access the page at “http://localhost\login\page4users.php” in the browser. The page
displays results like the following screenshots.

5. Review the “C:\xampp\htdocs\login\page4admin.php” in eclipse. Note additional block


of codes used to check session variables “username” and “role”. This page is only
authorized to the role of “admin”

Secure Web Applications Page 16 of 18


6. Access the page at “http://localhost\login\page4admins.php” in the browser. The page
displays results like the following screenshots. Indicating that the account is of role
“user”, hence not able to access pages for role “admin”

7. Try to sign out and sign in as a user account with role “admin”. Then try to access
http://localhost\login\page4admins.php and observe the results again.

Secure Web Applications Page 17 of 18


9. Key Learning Points
 A session is created/resumed upon the call of session_start()
 Existence of $_SESSION does not indicate that a session is authenticated and authorized
 Use additional variables in $_SESSION to identify authenticated users and identify authorization
level of users
o E.g. username – use to determine if user is authenticated
o E.g. role – use to determine if a user is a normal user or an admin.
 A session is destroyed upon the call of session_destroy(), where all variables in $_SESSION
are removed.
 Content in $_SESSION should not be displayed.
----------THE-END----------

Secure Web Applications Page 18 of 18

You might also like