University of Virginia, Department of Computer Science
CS200: Computer Science, Spring 2003

Notes: Monday 21 April 2003


Ways to authenticate:

Passwords: The Weakest Link?, cNet News, 22 May 2002.
Authentication for Remote Voting, Nathanael Paul, David Evans, Avi Rubin and Dan Wallach, April 2003.

Cryptographic Hash Functions

One-way: Given h, it is hard to find x such that H(x) = h.
Collision Resistent: Given x, it is hard to find y not equal to x such that H(y) = H(x).


All code for the Semi-Secure Chat Server:

You are free to incorporate any of this code that is useful into your PS8 project.

index.php (
The index page checks if the visitor already has a cookie. If the cookie is valid, it displays the message board. If the visitor does not have a cookie, it presents a login form.

include "preheader.html"; 
print "<title>Wahoo Chat</title>";
include "header.html";
<h1>Wahoo Chat</h1>
include "error.php";
include "opendb.php";
include "cookies.php";
include "displaytable.php";

if (isset ($_COOKIE["chat"])) {
  $user = $_COOKIE["chat"]["uid"];
  $auth = $_COOKIE["chat"]["auth"];
  openDatabase ();
  if (checkCookie ($user, $auth)) {
    print "<b>Welcome $user!</b>
           [<a href=\"login-new.php\">Login as Different User</a>] 
           [<a href=\"register.html\">Register New User</a>]<br><p><br>";
    <form action="post-process.php" method="POST">
       <table border=0>
       <tr><td>Subject:</td><td><input type="text" size="30" name="subject"></td></tr>
       <tr><td>Message:</td><td><input type="text" size="100" name="text"></td></tr>
       <tr><td></td><td><input type="submit" value="Post Message"></td></tr>
    $result = mysql_query ("SELECT date, user, subject, text 
                            FROM messageboard 
                            ORDER BY date DESC LIMIT 10");
    displayTable ($result);    
  } else {
    print "<b>Bogus cookie!</b><br><p></p><p>Nice try. Better luck next time.<br><br><p>";
    print "[<a href=\"login-new.php\">Login</a>] 
           [<a href=\"register.html\">Register New User</a>]<br>";
} else {
  include "login.php"; // No cookie, login as a new user
include "footer.html";
A new user is registered by checking the username is unique. If it is, a new inactive account is created, and mail is sent to the user with a URL to activate that account (containing md5($username . $secret) as an authentication code).
include "preheader.html";
print "<title>Registration Result</title>";
include "header.html";
print "<h2>Registration Result</h2><p>";

include "error.php";
include "secret.php";
include "opendb.php";

if ($password!=$password-verify) { error("The two passwords did not match."); } 
openDatabase ();
$result = mysql_query("SELECT username FROM users WHERE username='$username'");
if (mysql_num_rows ($result) > 0) {
  error ("Username $username is already in use.  Please select a different username.");

$result = mysql_query("SELECT email FROM users WHERE email='$email'");
if (mysql_num_rows ($result) > 0) {
  error ("There is already an account for email address $email.");

$encryptedpass = md5 ($password . $username); // We use the username as a "salt"
$actcode = md5 ($username . $secret);
$startcount = rand (0, 100000);

// Run a SQL Query to insert the data
$query =  "INSERT INTO users (username, password, email, activated, cookiecounter)
  	   VALUES ('$username', '$encryptedpass', '$email', 0, $startcount)";

$result = mysql_query($query);
if ($result != 1) { error ("Insert failed: $result"); }

$url = "http://" . $_SERVER['HTTP_HOST'] . dirname ($_SERVER['PHP_SELF']) 
        . "/activate.php?user=$username&code=$actcode";
print ("Thank you for registering for WahooChat.<br><p>");
print ("You should receive an email at $email soon that explains how to 
        activate your account.<p>");
$msg = "Thank you for registering for WahooChat.\n\n
        To activate your account visit\n  $url\n
        If you encounter problems, or did not register for a WahooChat account, 
        email\n\n--- WahooChat Activation Bot"; 
mail ($email, "WahooChat Account Activation", $msg, "From:");
include "footer.html";
CS 200

CS 200: Computer Science
Department of Computer Science
University of Virginia
Using these Materials