CS 371, Fall 2001
Lab 5a: Authentication and Sessions, Part 1

(Note: Part b of this lab was canceled.)

For this week and next, the lab will be about HTTP sessions and the related idea of authentication. Today, you will do three (hopefully) quick exercises that demonstrate some ways of managing sessions and authentication by hand. Next week, in part 2 of the lab, you will work with PHP sessions. The combined lab report for the two-week lab will be due after next week's lab.

Exercise 1: HTTP Access Control

The Apache Web Server, which we use on all the computers in the lab, is configured by setting a large number of configuration "directives." An interesting feature of the server is the ability to override the global settings of some of these settings for a particular directory (and its subdirectories). All you have to do is put a file named .htaccess in the directory and add the directive settings to that. (The "." at the beginning of the file name means that this is a "hidden" file, so you won't see it in normal directory listings.)

One of the directives that can be overridden on the cslab computers is the one that controls access to the directory. The question is, which computers are allowed to read pages in that directory? If a computer that doesn't have permission tries to access a page in the directory, the server will send back an "access denied" error.

To try this out, create a new directory in your public_html directory, and copy at least one file into it. Create a file named .htaccess in that directory and add the following lines to it:

          Order allow,deny
          Allow from 172.30.217

You will be able to access a page in that directory from Netscape running on any of the cslab computers. However, you will not be able to access it from a browser running on any of the windows computers on campus. The directive "Order allow,deny" is obscure, but effectively it means that any computer that is not explicitely allowed access will be denied. The Allow directive is used to grant permission to access the directory to a specified set of computers. In this case, access is granted to any computer whose IP address begins with 172.30.217. You can read more about this on the appropriate Apache manual page.

Put a link on your main page to one of the restricted pages on your site, so I can try, and fail, to access it.

Exercise 2: HTTP Authentication

Now suppose that you want to control access to some pages by user name and password. This is known as authentication of the user. While you can do this using PHP, there is actually a form of authentication built into HTTP. You can use .htaccess to set up this type of access control. The setup is a little more complicated than the previous exercise because of the need to maintain a list of users and passwords.

Create another directory in your public_html account, and copy at least two files into it. Create a .htaccess file in that directory and add the following lines to it, with modifications to the parts shown in red:

      AuthType Basic
      Require valid-user
      AuthName "Private Files"
      AuthUserFile /home/username/httpusers

The idea is that when someone tries to access a page in the directory, their Web browser will ask them for a user name and password. The message from the Web browser to the user will contain whatever AuthName you specify in the .htaccess file. For example, it might say "You must enter a user name and password to access Private Files." Once the user enters a user name and password correctly, the Web browser will remember them so that the user won't have to enter them again, as long as the browser continues running.

Unfortunately, for this to work, you also have to set up a file that contains user and password information. This is what the AuthUserFile is for. The file can be anywhere, as long as it is readable by the Web server. This file has a special format and it is created and maintained using a special command, htpasswd. Assuming that the name of the file is httpusers, you would use the command

         htpasswd -c httpusers eck

to create the file and to add a user named eck. You will be prompted for a password for eck. Set the password to fred. If you want to add more users to the same file, use the same command, but without the "-c". The AuthUserFile in .htaccess must be set to the full path name of the user file.

Once you've done this, use Netscape to access a file in the restricted directory. You should be asked for a user name and password. Once you've entered them, you should be able to visit other pages in the directory without re-entering the user name and password.

If you use this type of access control for a PHP script, then the user name and password of the user will be available in variables named $PHP_AUTH_USER and $PHP_AUTH_PW, so you can find out which user is accessing your page.

For more information, you can look for the AuthType and other directives among the list of configuration directives in the Apache manual.

Put a link on your main page to a file that I can access by entering the user name "eck" with the password "fred".

Exercise 3: Using a Session ID Database

When implementing serious sessions by hand in PHP, you generally have a lot of information to store for the session. A typical solution is to keep the data for the session in a row of a database. The primary key for the row serves as a session id. It is usually an auto-incremented int, so that a unique identifier is provided automatically. To carry over the session from one Web page to another, the only information that you need is the session id. All the other information that you need can be retrieved from the database. The session ID can be stored as a cookie, put in hidden fields in forms, or added to URL's.

For this exercise, you will be creating a simple session demo. The only session data will be a name and the number of page visits that the user has made during the session. This is unrealistically simple for real applications. It will also be unrealistic because there is no way to ever delete a session from the database.

You will use cookies to keep track of sessions, even though this means that they will only work if the user has not disabled cookies in their browser.

To implement the session, I have created a table named sessiondata in your database on cslab9. The table has three columns: sid is an auto-incremented column of type int that represents the session id; name is a column of type varchar(50) that stores the user's name, and visits is a column of type int for storing the number of visits.

For the demo, you can use a multipurpose PHP script that can do any of three things: Show a form where the user can register the first time the user visits the page; process the data from the form by creating a session in the database and setting a cookie on the user's computer; and continue a session that has already been set up.

To make things very easy for you, I have partially written the PHP script. This PHP file, /home/cs371/session.php already has functions that you can call to do all the database operations, plus two utility functions to make it easier to generate the web pages that you send back to the user. You should copy the file /home/cs371/session.php into your public_html directory and edit it there. There are more instructions and hints in the comments in this file. You just have to fill in three sections of the script. Each section will be about six or seven lines. You have to change the username, password, and database name in the open_connection() function in this script so that they are appropriate for your own database.

Note that to send a cookie in PHP, you simply have to call the setCookie() function. This function must be called before you output any text, if it's going to work. You have to call it before you start generating the Web page. For this lab, you should create a cookie that will only last until the user exits from the Web browser program. For that, you can call setCookie with two parameters. The first parameter is the name of the cookie and the second is the value of the cookie. The script I wrote assumes that the name of the cookie is "demoSID", so you could set the cookie with a command like: setCookie("demoSID","$sid").

Make a printout of your modified session.php file to turn in. In addition, you should add a link from your main page to the session.php file.

David Eck, October 5, 2001