Depois de todo o alvoroço sobre o Chrome OS, finalmente baixei e pude conferir. Usando este link, tive que criar uma conta e após confirmar o cadastro pelo email, pude baixar uma imagem de VMware e criei a máquina virtual usando o Fusion.

O boot é realmente rápido, e logo aparece a primeira tela: login. Procurei um pouco e descobri que o usuário e senha é o mesmo do Google Accounts. Porém, não funcionou pra mim, e tudo que consegui foi um erro informando: Network not connected and offline login fail.

Usando a rede da máquina virtual como NAT ou Bridge, não fez com que o login funcionasse. Procurando mais um pouco, encontrei a solução: usuário chronos, sem senha.

Usei um pouco, procurei algo sobre configuração de resolução, e nada. Também, não há botão algum para desligar ou reiniciar o sistema operacional. Logo, procurando um pouco mais, descobri como abrir um terminal: Ctrl-Alt-T. É um linux, bem simples e pequeno, com a interface baseada em GTK, e o Chromium.

Nada especial, mas essa simplicidade é bem interessante.

Para virar root, pode-se usar o sudo, e a senha é chronos. Não tem muito o que fazer no terminal, apenas um sudo reboot ou sudo halt.

Curti.

Pra quem ainda não baixou o Chromium, aqui tem todos snapshots para os sistemas operacionais suportados: http://build.chromium.org/buildbot/snapshots/

Login i hasło do blogu! ;] Przypomniałem sobie, że w ogóle mam blog. Przez rok było wiele zmian. Miałem chyba z 10 telefonów. Dziewczyna nadal ta sama i teraz mieszka u mnie. Samochód nadal ten sam. I zwolniłem się z tej chorej firmy! Hura!

Insomma, il valore del blog sta anche nel fatto che consente a chi non ha potuto partecipare ad una proiezione (come il sottoscritto l’ultima volta ed anche vivo un morire e forse altri … io ci contavo …) di recuperare qualcosa di quello che è accaduto.

Non si tratta solo di intervenire per dire la cosa intelligente ma quello che si sente, quello che si è sentito, qualcosa sarà pur successo dentro alle persone?

Si può soprattutto trattare di esprimere quello che si è sentito per coloro che non c’erano … per gli altri e non sempre e solo per stessi …

Ho aggiunto a destra un widget per il controllo del login. Per riassumere ecco come appare il blog se non si è collegati al proprio account (ho evidenziato il nuovo widget)

… e come appare invece quando si è collegati …

UPDATE 20Nov2009 – The password update has been postponed due to technical issues.

As you know, the portal is now open for PPCC students, faculty and staff at http://my.ppcc.edu. The first time students log into the portal they are prompted to change the PIN that they have been using to log into D2L and Blackboard to a password. There are links on the portal to both Blackboard and Desire2Learn that take them to their home pages—no other log in is required.

The portal includes links to all kinds of PPCC resources, including registration, and the overall plan is for all students to use the portal as the entry point for everything they do online at PPCC.

A change in how students are authenticated on the web will happen on Monday morning, and it might create some confusion for Desire2Learn. Please help us prevent that. Basically you need to remember three things:

1. Students who have NOT accessed the portal and changed their password will see no difference in how they log into Desire2Learn this semester. They will use the same S# and PIN they have been using.
2. Students who have accessed the portal should use it as their entry to Desire2learn. They log into the portal, click on the Student tab, and then click on “ppccConnect” under D2L. This will take them directly to their D2L home page.
3. Students who have accessed the portal (and thus changed their password) will have to use the new password if they go to D2L directly by typing the URL or through their bookmarks. The old PIN will no longer work. Fabrizio is adding an explanation about this to the D2L login page, but we wanted you to know about it in case you get questions.

Cada vez que se inicia la sesión nos pide el nombre de usuario y la contraseña, eso es muy útil cuando son varias las personas las que tienen acceso al ordenador, pero algo incómodo si el ordenador es también de uso personal o bien deseamos tener un acceso para visitantes.

Para evitar de introducir cada vez los datos, a continuación encontraréis como iniciar la sesión de arranque automáticamente.

Hay que tener en cuenta que configurar el inicio automático solo lo puede hacer el administrador del equipo.

Primero debemos abrir el  Menú de inicio, lo podemos hacer rápidamente pulsando simultáneamente Windows + R.

En el recuadro de búsqueda hay que escribir netplwiz y pulsar Enter.

Seguidamente hay que hacer clic en el nombre de cuenta del usuario, de manera que quede resaltado, al que se permite el inicio automático.

Ahora con el mouse hay que desactivar el recuadro que indica: Los usuarios deben introducir un nombre de usuario y contraseña para usar este equipo. (tal como se muestra en la imagen).

Pulsamos Aplicar, y el sistema nos pedirá confirmar la clave del usuario que previamente hemos resaltado (de esa forma deshabilitaremos que al iniciar sesión nos pida los datos). Una vez hecho esto pulsamos Aceptar y el proceso habrá finalizado.

So you want a database of users, giving each one a username and password so that they can log into your website. There are lots of different ways you can do this. The simpler you make it the simpler it is to hack. So let’s make it difficult!

The Easy Way
The simplest way to accomplish the above is this:

1. Take the user name and password.
2. Put it in the database.
3. When they try to log in do something like this: “SELECT Count(id) FROM users WHERE username=’$givenusername’ AND password=’$givenpassword’”
4. if $row[0] is > 0 then the credentials are valid and the user can be logged in.

This seems simple enough. Not very secure though. What if someone gains access to the database? They can instantly look up a user, find out their password and log in as them with no-one being any the wiser. Fair enough, you might think, but if someone’s looking at my database then there are bigger security problems to worry about than the log in. You’d have a point. Let’s say that you have a mate, Dave, who owns the server but doesn’t run the website. He has access to the database, finds the passwords and decides to be a prankster. Well done, Dave. Very funny. We need some extra security, I think.

A Little Harder.
So, we want to make it so that, even if someone can see what’s stored in the database, they can’t use it to log into the site. So what we can do is make a hash of the password and store that in the database instead of the plaintext password. A making a hash means taking the original string and applying some algorithm which results in a seemingly random string of characters. This string then cannot be transformed back into the original string. This is also sometimes known as one-way encryption, because it can be encrypted but not decrypted. NOTE: There are a lot of different hash algorithms, many of which are available in PHP. For the following examples I will use the SHA256 algorithm. There are lots of different hash algorithms about, I’ll let you figure out which one to use (hint: MD5 is pretty weak. SHA1 is probably OK for now, but you may as well use something stronger, it’s not hard!).

So now our process looks like this:

1. Take the username and hashed password.
2. Put them in the database.
3. When someone logs in make a hash of the password.
4. Do something like this: “SELECT Count(id) FROM users WHERE username=’$givenusername’ AND password=’$hashofgivenpassword’”
5. If $row[0] > 0 then they’re allowed in.

So now people can’t see the passwords even if they gain access to your database! Brilliant! So now we’re totally secure, right? Sure, unless the potential hacker has a rainbow table. What’s a rainbow table? Are you talking to yourself? Yes. Ok.

Rainbow Tables
“What’s a rainbow table,” I hear myself ask. Imagine you wanted an easy way to figure out passwords from their hashes so that you could easily break into websites secured using our method above. What would you do? Well, for a start you could make a lookup table for common hash functions so that you look up the hash and find strings that they are made from. That would make it easy, wouldn’t it? Yes, it would. Yes, people do it. And, yes, that’s what a rainbow table is.

So how do we prevent someone from doing that? Well, for practical reasons rainbow tables only exist up to a certain length of input string. Let’s do some maths to illustrate. Let’s say we have 26 lower case letters, 26 upper case letters, 10 numeric digits, and 10 special characters from which we can create our password. That’s 72 characters in all. So for a string of length 1 we have 72 possibilities. For length 2 we have 72×72. Let’s make PHP work it out for us:

$chars = 72;
$max = 10;
for ($x=1;$x<$max;$x++){
	$result = pow(72, $x);
	echo $x . ' = ' . number_format($result, 2) . '<br>';
}

Result:
1 = 72
2 = 5,184
3 = 373,248
4 = 26,873,856
5 = 1,934,917,632
6 = 139,314,069,504
7 = 10,030,613,004,288
8 = 722,204,136,308,736
9 = 51,998,697,814,228,992

So, if the password is 9 characters long then there will be several million million possibilities. This means that to store the rainbow table for all these hashes someone would need several petabytes of storage.

So, what? Only allow passwords over 9 characters long? Well that would help security overall, but it’s not the most elegant solution. For that we’re gonna need some salt.

At this point, you may be thinking “Really? Is it worth it?” and you’d have a point. Someone would already have to gain access to your database and spend however long it takes finding results in a rainbow table. When all’s said and done it depends on how secure you want to be. For a personal website you could probably get away with the above. However, if you’ve got a reasonably big user-base it’s nice to know that even if someone does hack their way in and has all the data laid out in front of them, they still wouldn’t be able to figure out the passwords. It doesn’t take much more to add that extra level of security. It’s also worth bearing in mind that there are plenty of people out there who would do it just because they can. The fact that your website is boring as hell and only contains information that you are interested in doesn’t mean that no-one will try and hack it.

Mmmm, Salty: The Hard Way
To make it harder (or, hopefully, impossible) to find the password from the hash we add a salt to the password before we run it through the hash function. In fact, for the best security we use two salts – one we’ll keep the same from user to user (we’ll call this $master_salt) and one which will be generated per-user (we’ll call this $user_salt).

So what’s the process now?

1. Take the username and password.
2. Hash the password.
3. Create a $user_salt by making a random number and hashing it.
4. Concatenate them together ($master_salt . $hashed_password . $user_salt). This gives us one very long string of random numbers and letters.
5. Make a hash of this string.
6. Store this hash and the user hash in the database.
7. When the user logs in, look up the user hash.
8. Make a hash of the given password.
9. Concatenate these together in the same way as when the password was made.
10. Try and get a row from the database: “SELECT Count(id) FROM users WHERE username = ‘givenusername’ AND password = ‘biglonghashthatwejustmade’”
11. If $row[0] > 1 then they’re allowed in

As you can see there a lot more steps, but once you get your head around what’s actually happening it’s not that much more difficult.

Bear in mind that you don’t have to use the exact method as above, you can always obfuscate it even more. Some people use a hash of the username as the $user_hash. And then add 7. And hash it three more times using different algorithms. And write it backwards. It’s up to you.

Hopefully that makes some sense. I’ve now written more on the subject that I did for my entire A-levels, so I hope it was worth it!

Hash Algorithms
PHP includes a lot of different algorithms for hashing. I’ve written a little script to give you an idea of what they all look like. It’s also quite useful if you need to make one-off hash by hand.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
	$input = $_POST['input'];
	foreach (hash_algos() as $algo){
		echo '<b>' . $algo . ':</b> ' . hash($algo, $input) . '<br>';
	}
} ?>
<form action="#" method="post">
	<input type="text" name="input">
	<input type="submit" name="submit" value="submit">
</form>

Just type a word into the box and you’ll be a shown a list of all all the hashes available from your PHP installation. Lovely job!

Si tenemos un servidor remoto al que accedemos a través de SSH una forma mas fácil y segura de acceder es utilizando claves RSA en vez de contraseñas.
Las claves RSA son en realidad claves asimétricas por lo que se usan claves distintas para encriptar y desencriptar. Por esto cuando hablamos de claves RSA en realidad nos referimos a parejas de claves: una publica y otra privada.
En nuestro caso empezaremos generando nuestras claves RSA, para esto ejecutaremos el comando:

$ ssh-keygen

Por defecto este comando nos genera claves de tipo RSA de 2048 bits. Respondiendo a todo con las opciones por defecto nos habrá generado 2 ficheros dentro de la carpeta ~/.shh:

• id_rsa: clave privada
• id_rsa.pub: clave publica

El siguiente paso consiste en copiar la clave publica a la maquina remota a la que queremos poder conectar sin contraseña. La forma mas sencilla seria con el comando scp desde la maquina local:

$ scp ~/.ssh/id_rsa.pub usuarioremoto@maquinaremota:~

Ahora tenemos que acceder a la maquina remota y desde allí añadir nuestra clave publica al fichero ~/.ssh/authorized_keys, para esto ejecutamos el siguiente comando en la maquina remota:

$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

Con esto ya deberíamos ser capaces de acceder a la maquina remota desde nuestra maquina local sin introducir la contraseña, para comprobarlo ejecutamos:

$ ssh usuarioremoto@maquinaremota

Y ya deberíamos estar conectados en la maquina remota sin que nos pregunte la contraseña.

There are so many tutorials to be found with Google.

I chose this for my first exercise with PHPMYADMIN

NOTE: This following link showed me how to EMBED code within my WordPress blog so that it will be displayed but not executed.

http://en.support.wordpress.com/code/posting-source-code/

http://www.phpeasystep.com/phptu/6.html

This morning by 6 a.m. I got to the point where PHPMYADMIN would come up in the browser by entering

http://localhost/phpmyadmin

(dont enter this in your browser because it only works on my machine, attaching to my local apache webserver)

After successfully logging into PHPMYADMIN which was not easy to figure out, and took many google searches, I was able to ADD
myself as a superuser with all powers in MySQL.

Next, I logged out and logged back in with my user name and password.

The first think I did was create a new database called “test” because that’s what this particular tutorial uses.

The tutorial provides me with the code to CREATE a table called “members”

CREATE TABLE `members` (
`id` int(4) NOT NULL auto_increment,
`username` varchar(65) NOT NULL default ”,
`password` varchar(65) NOT NULL default ”,
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=2 ;

and then to insert one member row with the following code

INSERT INTO `members` VALUES (1, ‘john’, ‘1234′);

PHPADMIN HAS A WINDOW where I can copy and paste tutorial code and then execute it, so it is all pretty easy. The hard part is to learn it well enough to one day do it without tutorial instructions or notes or copy and paste.

My next task is to create a file in /var/www
called “main_login.php”

I need to use the TERMINAL to do this, and I must issue each command preceded by “sudo” which will prompt me initially for my password, to prove I have rights to modify the Ubuntu system.

One of the first things I do after Ubuntu is configured is add TERMINAL to the launch pad at the top of the Ubuntu Desktop.

APPLICATIONS -> ACCESSORIES -> TERMINAL (right click) -> ADD THIS LAUNCHER TO PANEL

ALWAYS REMEMBER THAT in TERMINAL if you have copied something and you want to PASTE IT, you position your cursor inside TERMINAL, click EDIT and select PASTE. CTRL V will not work
in TERMINAL

Enter TERMINAL

sudo gedit /var/www/main_login.php

The GEDIT window will now open up and I can paste the following code from the tutorial:

PASTE THE FOLLOWING CODE:

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>

<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td></td>
</tr>
</table>
</td>

</tr>
</table>
</code>

I save and close GEDIT and next I create a second php page:

sudo gedit /var/www/check_login.php

Again, the GEDIT window opens and I paste the code, BUT obviously I MUST CHANGE name and password in the example to MY name and MY password.

 ############### Code

<?php
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

I click SAVE and quit GEDIT

NEXT,

sudo gedit /var/www/login_success.php

copy and paste this code:

############### Code

// Check if session is not registered , redirect back to main page.
// Put this code in first line of web page.
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

SAVE and QUIT

sudo gedit /var/www/logout.php

PASTE THIS CODE:

// Put this code in first line of web page.
<?
session_start();
session_destroy();
?>

SAVE AND QUIT

NEXT:

sudo gedit /var/www/checklogin.php

############### Code

<?php
ob_start();
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

SAVE and QUIT

Vi utilidade em escrever este post quando li a notícia que divulgava a password mais comum utilizada no Hotmail: 123456, entre outros dados semi-preocupantes.

Deixo então algumas práticas que podem tornar as vossas contas mais seguras:

1. Não escolher a password 123456.
É a mais comum. A primeira que alguém experimentará quando tentar violar a vossa conta. O mesmo é válido para outras passwords óbvias como número de telefone, nome do/a namorado/a, do bichinho de estimação, etc.

2. Passwords com mais de 6 caracteres.
Quanto mais melhor, mas não é preciso cair no exagero. Algumas plataformas limitam o número de caracteres.

3. Passwords com caracteres diferentes: números, letras e, se possível, símbolos/pontuação (#,.!).
Algumas plataformas não permitem a utilização de símbolos, ou mesmo de dígitos, mas é uma questão se experimentar, pois aumenta exponencialmente o grau de segurança da password.

4. Aleatoriedade
Em vez de uma palavra, uma combinação de caracteres que à partida não faça sentido.
Por ex: TH192#.

5. Passwords diferentes para plataformas diferentes.
Não vá alguém descobrir o vosso login para o Hotmail e a parti daí conseguir entrar em todos os restantes sites onde tenham conta.

login

signup

Hey CP Surfers! There is a new Club Penguin Screen on the Login page. Check it out!

Pretty cool! It’s all about Card-Jitsu Fire! But I have one question. Why Fire? I mean, Are they gonna find a Geyser and make a game called Card-Jitsu Water? Or a Mountin Top and call it Card-Jitsu Ice? What do you think?

~Qx4 Penpal

Follow Qx4 Penpal On Twitter!

Tutorial Note: I was actually going to do an AJAX version but when I built and tested it I realised that there are still too many security holes. The most sure way to pass data is through the form POST itself and not through a 3rd party AJAX even if you are using JQuery to emulate POST (some advice for Joost there).

This tutorial will show the reader how to create a login and register (along with session management) script which implements medium level security. As a disclaimer I do state that (as noted in the headline) I do not endorse this as a super secure script and never will, however, security tips are welcome and will be appreciated. This script is intended for sites that do not need to store credit card details and such like. If you need to store details that could compromise users financial details then please look into SSL and stronger encryption and tougher rules on remembering users. I have not made a heavy script as heavy scripts do drain server resources and I don’t really need a heavy script (not making a shopping website).

First of all I would like the explain that most of this script came from a brilliant post on Dev Shed. I did heavily modify the script in places but if it wasn’t for Dev Shed I still would not have a clue how to make a decent login and user management script. Make sure to check out their tutorial here. This tutorial is, however, a bit broken in the sense that it takes quite some playing around to understand how it all works.

Okay, let us begin with setting up the server itself. If you want to replicate my example you will need extra components explained here. I will explain the main extension we need right now so that those who wish to just understand the script itself can without having to read an entirely new post before continuing with this one.

Let’s set-up the database now. We wish to add these tables to the DB:

--
-- Table structure for table `tblipbanned`
--

CREATE TABLE IF NOT EXISTS `tblipbanned` (
  `IP` varchar(25) NOT NULL,
  `TimeStamp` timestamp NOT NULL default CURRENT_TIMESTAMP,
  PRIMARY KEY  (`IP`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Table structure for table `tbllogrecords`
--

CREATE TABLE IF NOT EXISTS `tbllogrecords` (
  `LoginID` int(11) NOT NULL auto_increment,
  `Username` varchar(250) NOT NULL,
  `TimeStamp` timestamp NOT NULL default CURRENT_TIMESTAMP,
  `IP` varchar(50) NOT NULL,
  `Successful` varchar(2) NOT NULL,
  PRIMARY KEY  (`LoginID`,`Username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

--
-- Table structure for table `tbluser`
--

CREATE TABLE IF NOT EXISTS `tbluser` (
  `UserID` int(11) NOT NULL auto_increment,
  `Username` varchar(50) NOT NULL,
  `Password` varchar(250) NOT NULL,
  `Email` varchar(250) NOT NULL,
  `DateJoined` timestamp NOT NULL default CURRENT_TIMESTAMP,
  `cookie` tinyint(1) NOT NULL default '0',
  `session` varchar(250) default NULL,
  `ip` varchar(250) default NULL,
  `Locked` varchar(6) NOT NULL default 'false',
  `Banned` varchar(6) NOT NULL default 'false',
  PRIMARY KEY  (`UserID`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

Now a quick explanation on the tables. Most fields are self explanatory however, there may be a few that gets you thinking. There are a couple of redundant fields here since they allow for expansion of the script to cover more security issues. I believe the only table I really need to explain is “tbluser”, everything from cookie down needs explanation:

• cookie – This represents the presence of a cookie for remembering the user if they chose to be remembered (this is currently a redundant field, easy to utilise however).
• session – This represents the session_id php variable which allow us to attach the user to one and only one session, good for shared server security.
• ip – This allows us to log only one IP for the user, again good for security
• Locked – This represents whether or not the account has been temporarily locked from being able to login.
• Banned – This represents whether or not the account has been banned

The main extension I use within this script is mcrypt. Let me explain a few things before I continue with my discussion on mcrypt:

• MD5 is NOT encryption
• MD5 is NOT secure
• MD5 IS NOT ENCRYPTION…..GET IT?!!!!

I would strongly recommend never using md5 on a password. The purpose of md5 is to create a hash which displays (effectively) the sum of a files or words components. Yes, true, with m it is easy to get h but with h its hard to get m but not almost impossible and hackers can have your passwords in a matter of days. Let me sum up what md5 hash is in an example:

A website displays a file and a md5 hash. This md5 hash represents the correct md5 that should be formed should the file be real.

Md5 hash is nothing more than a check….does it sounds so secure now? Mcrypt overcomes this problem by providing encryption.

To install mcrypt you need to go to terminal and type:

sudo apt-get install php5-mcrypt

Once this is done you are ready to use mcrypt (don’t you just love how easy Linux is?).

Okay, I will now paste the source code to the session management script I use. After I will talk about login and registration.

<?php

	#filename: User.php

	#---------------------------------------------------------
	#	This file contains all the needed operations to manage
	#	user connections to the server.
	#
	#	Added security has been put into place to ensure saftey:
	#
	#		Session, database and cookie checking of sessions
	#		256 encryption of all passwords and unsetting of variables
	#			to ensure they are not left in buffer
	#		Log of attempted logins kept for logging purposes
	#		Locking of accounts which breach security protocols
	#		Safe gaurds against SQL injections (they get their hack
	#			as their username =P, serves them right, BIATCHES)
	#		And other added methods for ensuring smooth running at all times.
	#
	#
	#	Have fun and remember stay safe, stay paranoid.
	#---------------------------------------------------------

//class def
class User {	

	var $db = null; // PEAR::DB pointer
	var $failed = false; // failed login attempt
	var $date; // current date GMT
	var $id = 0; // the current user's id
	var $myKey = '';
	var $ip = '';
	var $msg = "&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;nbsp;";	

	//class function
	function User(&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;$db) {
		$this->db = $db;
		$this->date = $GLOBALS['date'];
		$this->myKey = "54M_i1lM4N";
		$this->ip = $_SERVER['REMOTE_ADDR'];
		$this->msg = "&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;nbsp;";
		//this is done every time a page is loaded
		if ($_SESSION['logged']) {
			//check the logged in user (mainly security checks)
			$this->_checkSession();
		} elseif ( isset($_COOKIE['stagex']) ) {
			//check for a cookie (this cookie is not persistent, it deletes on browser close)
			$this->_checkCookie($_COOKIE['stagex']);
		}
		if (!isset($_SESSION['uid']) ) {
			//if user aint logged in just set session variables to some null value.
			$this->session_defaults();
		}
	}

	//*************************
	// Basic Functions
	//*************************

	//check for banned IP
	function _banIP($banIp){

		$sql = "INSERT INTO tblipbanned(IP) VALUES($banIp)";
		$this->db->query($sql);
	}

	//log the login attempt
	function _logAttempt($username, $successful){

		//this section will help the admin keep track of logs. This is especially useful in reports of hacker    		attacks.

		//make safe the variables, stop that poisoning
		$this->db->quote($successful);

		//write it to db
		$sql = "INSERT INTO tbllogrecords(Username, IP, Successful) VALUES($username, '$this->ip', $successful)";	

		$this->db->query($sql);
	}

	//*****************
	// Encryption
	//*****************

	#Ooh kinky
	//this is the encryption. lindecrypt decrypts the pw whilst linEncrypt encrypts the pw
	function lindecrypt($enpass) {
		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
		$decryptedpass = mcrypt_decrypt (MCRYPT_RIJNDAEL_256, $this->mykey, $enpass, MCRYPT_MODE_ECB, $iv);
		return rtrim($decryptedpass);
	}

	function getEncryptedPass($pass){
		return $this->linEncrypt($pass);
	}

	#Ooh spank me thrice and hand me to ma mamma
	function linEncrypt($pass) {
		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); //Creating the vector
		$cryptedpass = mcrypt_encrypt (MCRYPT_RIJNDAEL_256, $this->mykey, $pass, MCRYPT_MODE_ECB, $iv);
		return $cryptedpass;
	}	

	function session_defaults() {
		//write to db or do nothing
		$_SESSION['logged'] = false;
		$_SESSION['uid'] = 0;
		$_SESSION['username'] = '';
		$_SESSION['cookie'] = 0;
		$_SESSION['remember'] = false;
	}

	//*****************
	// Error Handlers
	//*****************	

	//is account locked?
	function _isLocked($username){

		$username = $this->db->quote($username);
		//can I access my account?
		$sql = "SELECT * FROM tbluser WHERE " .
		"Username = $username";

		$result = $this->db->getRow($sql);

		//has account been disabled
		if ($result->Locked) {
			return true;
		}else{
			//phew
			return false;
		}
	}

	//is account banned?
	function _isBanned($username){

		$username = $this->db->quote($username);
		//can I access my account?
		$sql = "SELECT * FROM tbluser WHERE " .
		"Username = $username";

		$result = $this->db->getRow($sql);

		//has account been banned?
		if ($result->Banned) {
			return true;
		}else{
			//phew, better luck next time admin
			return false;
		}
	}

	//is ip banned?
	function _isIPBanned(){
		//check with the db
		$sql = "SELECT * FROM tblipbanned WHERE " .
		"IP = '$this->ip'";

		$result = $this->db->getRow($sql);

		if( is_object($result) ){
			return true;
		}
	}

	function _getFailed(){
		return failed;
	}

	//error check to see if user exist
	function _userExist($username){

		$username = $this->db->quote($username);

		$sql = "SELECT * FROM tbluser WHERE " .
			"(Username = $username)";

		$result = $this->db->getRow($sql);

		if (is_object($result) ) {
			return true;
		}
	}

	//error check to see if email exist
	function _emailExist($email){
		$email = $this->db->quote($email);

		$sql = "SELECT * FROM tbluser WHERE " .
			"(Email = $email)";

		$result = $this->db->getRow($sql);

		if (is_object($result) ) {
			return true;
		}
	}

	//***************
	// Actual Script
	//***************

	//check a user login (post login)
	function _checkLogin($username, $password, $remember) {
		//check ip ban catalogue
			$sql = "SELECT * FROM tblipbanned WHERE " .
				"(IP = '$this->ip')";			

			$result = $this->db->getRow($sql);

			if(is_object($result)){
				return false;
			}

		$unquotedUser = $username;

		//prepare the variables
		$username = $this->db->quote($username);
		$password = $this->db->quote($password);
		$password = $this->db->quote($this->getEncryptedPass($password));

			$sql = "SELECT * FROM tbluser WHERE " .
			"Username = $username AND " .
			"Password = $password";

			$result = $this->db->getRow($sql);

			//has account been disabled?
			if($result->Banned == "false" &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp; $result->Locked == "false"){
				//does this user already exist as a logged user?
				if ( is_object($result) ) {
					$this->_logAttempt($username, true);
					$this->_setSession($result, $remember);
					setcookie("stagex", $unquotedUser);
					return true;
				} else {
					//write to login table for record keeping
					$this->_logAttempt($username, false);
					$this->failed = true;
					$this->_logout();
					return false;
				}
			}else{
				return false;
			}
	} 

	//set the session if login check succeeds
	function _setSession(&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;$values, $remember, $init = true) {
		//write to db
		$this->id = $values->UserID;
		$_SESSION['uid'] = $this->id;
		$_SESSION['username'] = htmlspecialchars($values->Username);
		$_SESSION['cookie'] = $values->cookie;
		$_SESSION['logged'] = true;

		if ($init) {

			$session = $this->db->quote(session_id());

			$sql = "UPDATE tbluser SET session = $session, ip = '$this->ip' WHERE " .
			"UserID = $this->id";
			$this->db->query($sql);
		}
	} 

	//check cookie contents
	function _checkCookie($cookie){
		if(!$cookie) return;

		$cookie = $this->db->quote($cookie);

		$sql = "SELECT * FROM tbluser WHERE " .
			"Username = $cookie";

		$result = $this->db->getRow($sql);

		if(is_object($result)){
			$this->_setSession($result, true);
		}
	}

	//destroy cookie prematurely
	function _destroyCookie(){
		setcookie("stagex", "", time() - 3600);
	}

	//check user session
	function _checkSession() {
		$username = $this->db->quote($_SESSION['username']);
		$cookie = $this->db->quote($_SESSION['cookie']);
		$session = $this->db->quote(session_id());
		$thiip = $this->db->quote($_SERVER['REMOTE_ADDR']);

		$sql = "SELECT * FROM tbluser WHERE " .
		"Username = $username AND " .
		"session = $session AND (ip = $thiip)";

		$result = $this->db->getRow($sql);

		if (is_object($result) ) {
			$this->_setSession($result, false, false);
		} else {
			$this->_logout();
		}
	} 

	//log the user out
	function _logout(){
		session_unset();
		$id = session_id();
		session_regenerate_id();

		$this->session_defaults();
		$newid = $this->db->quote($id);
        $sql = "DELETE FROM `sessions` WHERE `session_id` = $newid";

       //and again
       $this->db->query($sql);
       $this->_destroyCookie();
       return true;
	}

	//register da user
	function _registerUser($username, $password, $email, $c_Origin, $g_Sex, $b_yearBirth){

		if(!$_SESSION['logged']){
			$unquotedpw = $password;
			$unquotedusername = $username;
			//quote the data so no injections
			$country = $this->db->quote($c_Origin);
			$gender = $this->db->quote($g_Sex);
			$birthyear = $this->db->quote($b_yearBirth);
			$username = $this->db->quote($username);
			$password = $this->db->quote($password);
			$email = $this->db->quote($email);

			$sql = "SELECT * FROM tblipbanned WHERE " .
				"(IP = '$ip')";			

			$result = $this->db->getRow($sql);

			if(is_object($result)){
				return false;
			}

			//check duplicate users
			$sql = "SELECT * FROM tbluser WHERE " .
				"(Username = $username)";

			$result = $this->db->getRow($sql);

			if (is_object($result) ) {
				return false;

			} else {

				//make checking for duplicate emails seperate transaction to loop through table again
				//without user variable having an effect on results.
				$emailSql = "SELECT * FROM tbluser WHERE " .
				"(Email = $email)";

				$emailResult = $this->db->getRow($emailSql);

				if(is_object($emailResult)){
					return false;
				}
			}

			//encrypt pw
			$encryptedpw = $this->db->quote($this->getEncryptedPass($password));

			//write to db
			$insertSql = "INSERT INTO tbluser(Username, Password, Email, Country, Gender, BirthYear) VALUES($username, $encryptedpw, $email, $country, $gender, $birthyear)";
			$this->db->query($insertSql);

			//log user in
			if($this->_checkLogin($unquotedusername,$unquotedpw,$_SESSION['cookie'])){
				return true;
			}else{
				return false;
			}
		}else{
			return false;
		}
	}

	//recover da details
    function _recoverDetails($userEmail){

        $sql = "SELECT * FROM tbluser WHERE Email = $userEmail";

        $result = $this->db->getRow($sql);

        if (is_object($result)){
          $to      = $userEmail;
          $subject = 'Your StageX Account Details';
          $message = 'hello '.$result->Username.'\nShown below are your account details for the StageX video site.\nUsername: '.$result->Username.'\nPassword: '.$this->lindecrypt($result->Password).'\nWe would like to strongely recommend that you change your password upon logging into the site.\nThank you\nStageX Team';
          $headers = 'From: no-reply@stagex.com';
          mail($to,$subject,$message,$headers);
          return true;
        }else{
          return false;
        }
    }
?>

I just drew up the recover details function very quickly, however, it is correct (just needs the information within it updating). This is the user.php script this controls how the user is seen on the site, whether a guest or a registered user or even maybe administrator.

The comments should explain the script well enough so now I will move onto logging in/out and registering. I will begin with the simplest of script, logout:

<?php
//header includes the include method for user class and instantiating the user class
include('includes/header.php');

	//access the user class function _logout
	$user->_logout();
       //redirect home
	   header("Location: index.php");

?>

And for the login:

<?php
require_once('includes/header.php');

//ignore this I will add a post about checking empty post fields on the fly soon.
$req_fields = array("txtUserId"=>"Username", "txtPassword"=>"Password");

//I just called the button on my login form any old piece of crap
if(isset($_POST['Loginforuserthingy'])){
	//if not logged in
	if(!$_SESSION['logged']){
		if(check_empty_fields()){
			//access user class _checklogin to check the login
			if($user->_checkLogin($_POST["txtUserId"], $_POST["txtPassword"], false)){
				header("Location: usrcp?home.php");
			}else{
				//understand what error was thrown
				if($user->_isIPBanned()){
					$smarty->assign('loginError', "Your IP has been banned. If this has been done in mistake please contact the administrator.");
				}
				if($user->_getFailed()){
					$smarty->assign('loginError', "Incorrect Username or Password provided.");
				}elseif($user->_isLocked($_POST['txtUserId'])){
					$error = "Your account has been locked. Please contact an administrator.";
					$smarty->assign('loginError', $error);
				}elseif($user->_isBanned($_POST['txtUserId'])){
					$smarty->assign('loginError', "Your account has been banned. It is also possible that your IP has been banned, however ,you can try registering again hoping it isn't.");
				}

			}
		}else{
			$smarty->assign('loginError', $msg);
		}
	}else{
		header("Location: usrcp.php?home");
	}
}

//if logged in
if($_SESSION['logged']){
	header("Location: usrcp.php?home");
}else{
	$smarty->display('login.php');
}

?>

In order to use login and logout you need a index.php with some text that only the user can see. When the user is logged in there is a link that redirects the user to the logout page. That logout page then logs them out. The login page would contain 3 elements, a username box “txtUserId”, a password box “txtPassword” and a button which I have conveniently named “Loginforuserthingy”. The form then redirects to this page and that’s how the login page works.

This would be very, very, very easy to update as an AJAX page. You would just have a JQuery AJAX method (JQuery is best for AJAX has many extras outside of normal AJAX coding) which then polls the login.php script you see above. This page would return a JSON response depending on whether there was an error or not. If you want this script posted just say so (I might post it anyway). This same rule with AJAX applies to the registration page too.

I’m going to skip a bit on registration page since the login shows the full extent of checks and so I’m just going to cut to the chase.

			    if($user->_registerUser($username, $password, $email, $country, $gender, $birthyear)){
				    header("Location: usrcp.php");
			    }else{
				    if($user->_isIPBanned()){
					    $smarty->assign('registerError', "Your IP has been banned. If this has been done in mistake please contact the administrator.");
				    }elseif($user->_userExist($username)){
					    $smarty->assign('registerError', "That username already exists please choose another. Be sure to use the inbuilt username checker before you post this form.");
					    $smarty->assign('user', '');
				    }elseif($user->_emailExist($email)){
					    $smarty->assign('registerError', "That email is already registered. Please either use account recovery or another email.");
					    $smarty->assign('email', '');
					    $smarty->assign('conemail', '');
			    }

You can see I use _registerUser method to register the user supplying the different variables as needed. If the registration fails I once again (just like the login script) seek the reason.

So now with the new knowledge at hand you should be able to create some sort of security on your login scripts, however, don’t be fooled this is not a secure script and if you ask me there is no such thing.

After a week of back and forth helping a client figure out what her website hosting account access information is and how to interpret the responses of the hosting company staff, I thought I’d write a quick post about it. For those of you who have a website, want to edit it but don’t know how, here are some quick & easy questions to ask your hosting company or website developer:

• what is the contact information for my website developer & hosting company?
• what is my account access information (login username and password) for hosting & domain name?

Once you have the hosting company’s information and your account information, you can start to determine what is the nature of the problem. Some common issues with website editing are:

• How do I figure out which file to edit?
• How can I edit the web pages myself?
• How can I collect names from my website?

If you or someone you know have any of the above questions at the moment, or know you will be addressing these questions in the near future, contact us today for your free situation analysis and suggestions overview.

Fermati! Stai perseverando con un comportamento che potrebbe essere considerato fastidioso o offensivo da altri utenti.