CS200: Notes 21 April 2003

University of Virginia, Department of Computer Science
CS200: Computer Science, Spring 2003

Notes: Monday 21 April 2003

Schedule

Wednesday, 23 April: Exam 2 Due
28 April (9am): Problem Set 8 Due

Notes

Ways to authenticate:

Something you know (password)
Something you have (transparency)
Something you are (fingerprint)

Passwords: The Weakest Link?, cNet News, 22 May 2002.
Authentication for Remote Voting, Nathanael Paul, David Evans, Avi Rubin and Dan Wallach, April 2003.

Cryptographic Hash Functions

One-way: Given h, it is hard to find x such that H(x) = h.
Collision Resistent: Given x, it is hard to find y not equal to x such that H(y) = H(x).

Example

All code for the Semi-Secure Chat Server: http://www.cs.virginia.edu/cs200/chat/chat.zip

You are free to incorporate any of this code that is useful into your PS8 project.

index.php (http://www.cs.virginia.edu/cs200/chat/)
The index page checks if the visitor already has a cookie. If the cookie is valid, it displays the message board. If the visitor does not have a cookie, it presents a login form.

<?
include "preheader.html"; 
print "<title>Wahoo Chat</title>";
include "header.html";
?>
<h1>Wahoo Chat</h1>
<?
include "error.php";
include "opendb.php";
include "cookies.php";
include "displaytable.php";

if (isset ($_COOKIE["chat"])) {
  $user = $_COOKIE["chat"]["uid"];
  $auth = $_COOKIE["chat"]["auth"];
  openDatabase ();
    
  if (checkCookie ($user, $auth)) {
    print "<b>Welcome $user!</b>
           [<a href=\"login-new.php\">Login as Different User</a>] 
           [<a href=\"register.html\">Register New User</a>]<br><p><br>";
?>    
    <form action="post-process.php" method="POST">
       <table border=0>
       <tr><td>Subject:</td><td><input type="text" size="30" name="subject"></td></tr>
       <tr><td>Message:</td><td><input type="text" size="100" name="text"></td></tr>
       <tr><td></td><td><input type="submit" value="Post Message"></td></tr>
       </table>
       </form>
<?
    $result = mysql_query ("SELECT date, user, subject, text 
                            FROM messageboard 
                            ORDER BY date DESC LIMIT 10");
    displayTable ($result);    
    mysql_close();
  } else {
    print "<b>Bogus cookie!</b><br><p></p><p>Nice try. Better luck next time.<br><br><p>";
    print "[<a href=\"login-new.php\">Login</a>] 
           [<a href=\"register.html\">Register New User</a>]<br>";
  }
} else {
  include "login.php"; // No cookie, login as a new user
}
include "footer.html";
?>

register-process.php
A new user is registered by checking the username is unique. If it is, a new inactive account is created, and mail is sent to the user with a URL to activate that account (containing md5($username . $secret) as an authentication code).

<?
include "preheader.html";
print "<title>Registration Result</title>";
include "header.html";
print "<h2>Registration Result</h2><p>";

include "error.php";
include "secret.php";
include "opendb.php";

if ($password!=$password-verify) { error("The two passwords did not match."); } 
openDatabase ();
$result = mysql_query("SELECT username FROM users WHERE username='$username'");
if (mysql_num_rows ($result) > 0) {
  error ("Username $username is already in use.  Please select a different username.");
}

$result = mysql_query("SELECT email FROM users WHERE email='$email'");
if (mysql_num_rows ($result) > 0) {
  error ("There is already an account for email address $email.");
}

$encryptedpass = md5 ($password . $username); // We use the username as a "salt"
$actcode = md5 ($username . $secret);
$startcount = rand (0, 100000);

// Run a SQL Query to insert the data
$query =  "INSERT INTO users (username, password, email, activated, cookiecounter)
  	   VALUES ('$username', '$encryptedpass', '$email', 0, $startcount)";

$result = mysql_query($query);
if ($result != 1) { error ("Insert failed: $result"); }
mysql_close();

$url = "http://" . $_SERVER['HTTP_HOST'] . dirname ($_SERVER['PHP_SELF']) 
        . "/activate.php?user=$username&code=$actcode";
print ("Thank you for registering for WahooChat.<br><p>");
print ("You should receive an email at $email soon that explains how to 
        activate your account.<p>");
$msg = "Thank you for registering for WahooChat.\n\n
        To activate your account visit\n  $url\n
        If you encounter problems, or did not register for a WahooChat account, 
        email evans@cs.virginia.edu.\n\n--- WahooChat Activation Bot"; 
mail ($email, "WahooChat Account Activation", $msg, "From: wahoochat-bot@virginia.edu");
include "footer.html";
?>








	CS 200: Computer Science Department of Computer Science University of Virginia	cs200-staff@cs.virginia.edu Using these Materials