Editor's Choice: This article has been selected by our editors as an exceptional contribution.

The EE Collaborative Login System - Implementation

Published:
Updated:
Preface

This is the third article about the EE Collaborative Login Project. A Better Website Login System introduces the Login System and shows how to implement a login page. The EE Collaborative Login System Part Two - Design Considerations discusses design considerations and security features.

This article will discuss implementation details. Before we get started the people who worked on this project took great care in removing vulnerabilities from the Login System code.  

For it to actually remain secure, you have to kill any vulnerabilities in your site as well. One XSS vulnerability may allow a malicious person to gather the secure session id from one of your legitimate users and hijack that users account. The library files of the Login System can be put to good use to give you some proven good tools to help prevent vulnerabilities in your site.

Introduction

There are several steps to setup the Login System on your website.
You must set up a database for the Login System tables,
You must download the correct code for your environment,
You must copy the files to your website,
You must configure the system using the global configuration file, and
You must replace the example pages with your web pages incorporating the Login System include files.
 

1

Database Setup
At the project's Google Code project home you will find an MS Access database file and SQL scripts to setup either an MS SQL Server database or MySQL database.

MS Access and MS SQL Server only run on MS Windows systems. MySql runs on MS Windows and many other operating systems.

The ASP code can use all three databases. The PHP code can only use the MySQL database as of this code release. (alpha 0.1, 20 APR 2010). PHP on Windows can use MS Access and MS SQL server but no database access code has been written for PHP on Windows using those databases.

MS Access

The file must be copied to a directory on your web server. That directory should have no other files, except MS Access database files. The permissions on the database file should be as follows:

Note that special permissions is checked. I believe that is inherited permissions.

To simplify generating the connection string for the file, you can temporarily add the code below as conntest.asp and load it in your browser.

 
Connected to database 
                      Opened Database Okay 
                      1 1 
                      Connections 
                      <% 
                      CONNECTION_STRING = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source='c:\inetpub\wwwroot\login-system\database\login_system.mdb'"
                      %>

Open in new window


The output from the file should be similar to the above and gives you the connection string to the database. You will need that connection string when configuring the global configuration file.

MS SQL

Download the SQL script. Open the script in a text editor and copy the script and paste it into the query window of your MS SQL Server query tool. As various ISP's use different MS SQL Server administration tools, I have no screen shots to provide. Should you need help with you specific MS SQL Server administration tool, just post a question in one of the MS SQL server zones here at Experts-Exchange.

Executing the script will create the database. You will get the database connection string details from your ISP or Server Administrator. It should be similar to:
 
"Provider=SQLOLEDB; Server=servername\instance,1433; UID=webuser; PWD=password; Database=loginproject"

Open in new window


In your database administration program, (or request that your ISP,) setup a website user account to the MS SQL database with db_datareader and db_datawriter permissions. Do Not run the Login System using the database administrator account!

MySQL

Download the SQL script for MySQL. Open the script in a text editor and copy the script and paste it into the script into your SQL query tool. Most ISPs and many in-house servers run phpMyAdmin. From the left column, upper row of icons, choose the SQL icon which will open the SQL query dialog. Paste the SQL script into the window and press the "GO" button to create the database.

After creating the database, add a user to the database with Read, Write, Insert, and Delete permissions. Many times you can do this in phpMyAdmin. Some ISP's (including the host for this project) disable that functionality and provide alternative methods for creating database users. Do not run the Login System using the database administrator account!

2

Get The Code
Go to the Login System's Google Code project home and select the download tab.

Download the code package for your system in the language of your choice. Open the .zip package and unzip the contents to your local system. Leave the file structure intact.

Note the files in the "login-system" (top level) folder. As we will see below, these are simply example files. They contain a bare bones skeleton markup with the necessary included files to make the page function as well as the code and markup to make sure the page is served as UTF-8 which is necessary for most world languages other than English. You will be changing these files to match your web site.

Now note the files in the login-system\include folder. These files are the code and library files that operate the Login System. You will not modify these files other than the loginGlobals configuration file (and the database file in PHP installations.)* Notice the library file for a page has a hyphen, i.e. change-password.asp. The actual Change Password page in the parent folder will use and underscore, i.e. change_password.asp, to help distinguish between files that otherwise have a shared name.

* In special circumstances you might make a small change to the a markup file, such as the login file if you were removing the Remember Me checkbox and related text. These changes are for advanced users. Getting help in a question at Experts-Exchange from an expert experienced with the Login System is suggested in these cases.

3

Upload The Files To Your Web Server
FTP the files to your web server. I suggest you place the login-system folder in the web root folder. While you are free to put the files anywhere on your server and you can use the loginGlobals configuration file to move the folder and files to various locations, this will complicate any future upgrades. It will be much simpler to maintain if you keep the file structure intact.

4

Configure The System Using The Global Configuration File
You need to be careful here. You are going to configure your system be editing the loginGlobals file. For most languages this file must be saved as a UTF-8 file. Make sure your editor of choice can properly save UTF-8 files. For Windows users DO NOT use Notepad or Wordpad. Visual Studio or PSPAD++ (freeware) can properly save UTF-8 files. Notepad says it can save a UTF-8 files but it does not work properly. For users of other operating systems, you will want to open a copy of loginGlobals, make a few changes, save the changed file and re-open the file to ensure the font formatting is unchanged.

The domain, set in the constant lg_domain (and lg_domain_secure). The second constant is primarily intended for persons using a shared SSL certificate which may have a different domain name than the main site's domain.

The webmaster e-mail address, set in lg_webmaster_email and lg_webmaster_email_link.

The path to the Login System files. Usually you would leave that as "/login-system/" but an advanced user may wish to relocate those files.

The full paths and names of the home page, the contact page, the form_error page and the forbidden page. These need not, and probably will not, be in the /login-system/ directory.

Database configuration details, you collected above in step 1, (host or path, database catalog, userid and password.) These are in the loginGlobals page for ASP code and in the database.php file for PHP code.

The settings for SSL, debugging, and logging logins. As delivered, the setting for lg_useSSL, and lg_debug are set to false. Assuming you have an SSL certificate your would change lg_useSSL to true and leave lg_debug set to false. lg_debug set to true would reveal very sensitive data not for the public's viewing. It should only be enabled if your were asked to do so by an expert assisting you with a problem.

Lastly, lg_log_logins is set to true. This is important so you have an audit trail of activity (as well as the entries in the loginAttempts table.) It is suggested you leave that constant set to true.

5

Replace The Example Pages With Your Web Pages
Above you un-zipped the packaged files. It was noted that the files in the "login-system" (top level) folder were examples to be replaced by your we pages. There is code in the example files you will need to include in your replacement page. You will need to keep the file names the same.

If you recall from Article 1 you will need to identify the "common content area" of your typical web page. It is likely that most if not all pages share a similar style or "template." You will likely have a page banner, a common navigation menu, and possibly a footer with links to such pages as Copyright, Privacy Policy and Terms of Use. There may be other shared content on your pages, but there is on each page a "common content area."

An examination of the source code for the page shows (abbreviated) the following general markup structure. It is important to note the area above the top of the <!DOCTYPE...> declaration and the bolded area where the main content would appear.
 
WILL INCLUDE SOME FILES HERE 
                      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
                      <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 
                      
                      <head> 
                      <title>HTML & DOM Tips And Tutorials</title> 
                      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
                      </head> 
                      
                      <body> 
                      <div id="topmenu">...</div> 
                      <div id="banner">...</div> 
                      <div id="mainmenu">...</div> 
                      <div id="middle"> 
                        <div id="content"> 
                          <div><a name="main_content"> 
                      WILL INCLUDE MARKUP HERE</div> 
                        </div> <!--content--> 
                      </div> <!--nav--> 
                        <div id="right">...</div> 
                      </div> <!--middle--> 
                      
                      </body> 
                      </html>

Open in new window


Since we made a PHP login.php page in Article 1 we will make an ASP change_password.asp page in this example. The example page is as follows.
 
<!--METADATA TYPE="typelib" uuid="00000205-0000-0010-8000-00AA006D2EA4" --> 
                      <% 
                      Option Explicit 
                      Session.CodePage=65001 
                      Response.Charset="UTF-8" 
                      %> 
                      <!--#include file="include/loginGlobals.asp"--> 
                      <!--#include file="include/hashSHA1.asp"--> 
                      <!--#include file="include/form_token.asp"--> 
                      <!--#include file="include/generalPurpose.asp"--> 
                      <!--#include file="include/paramSQL.asp"--> 
                      <!--#include file="include/CDOMailInclude.asp"--> 
                      <!--#include file="include/change-password.asp"--> 
                      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
                      <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 
                      <head> 
                      <title><%=lg_term_change_password%></title> 
                      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
                      <meta http-equiv="content-language" content="en-US" /> 
                      <meta name="language" content="en-US" /> 
                      <meta name="author" content="Roderick Divilbiss" /> 
                      <meta name="copyright" content="&copy; 2010 EE Collaborative Login Project http://www.webloginproject.com" /> 
                      <style type="text/css"> 
                      #details { font-family:Courier New; font-size:10pt; border:1px solid #000000; padding:10px; background-color:#FFE2C6; } 
                      #message { font-size:10pt; padding:10px; background-color:#FFFFCC; border:1px solid #000000; } 
                      #warning { font-size:10pt; font-weight:bold; padding:10px; background-color:#FFFFCC; color:#FF0000; border:1px solid #FF0000; } 
                      </style> 
                      </head> 
                      
                      <body> 
                      <!--#include file="include/change-password-markup.asp"--> 
                      </body> 
                      </html>

Open in new window


The first line:
 
<!--METADATA TYPE="typelib" ...uuid=... -->

Open in new window


is the type library for Microsoft's database abstraction object, e.g. ADO (Active Data Object) which is used to access the databases.

The next three lines state we will explicitly declare variables, use the UTF-8 codepage, and use the UTF-8 character set. After these three lines, you may add any ASP code you might need to make your page operate properly.

Following the small block of ASP code (larger if your page needs its own ASP code) we will have several included code and library files.
1.   The first file is our loginGlobals.asp configuration file
2.   A library to perform SHA1 hashing as ASP does not have that function.
3.   The code for the anti-CSRF token (both writing and checking the token.)
4.   A general purpose library file - Input Filtering, generating GUIDs, and verifying that a file exists in the web.
5.   A library to abstract commands
6.   A library to encapsulate sending email via CDO.SYS.
7.   The code for the change_password.asp page. (Remember the code file has a hyphen in its name, not an underscore.)
When we copy from our example file into our website's template page, we get:
 
<!--METADATA TYPE="typelib" uuid="00000205-0000-0010-8000-00AA006D2EA4" --> 
                      <% 
                      Option Explicit 
                      Session.CodePage=65001 
                      Response.Charset="UTF-8" 
                      %> 
                      <!--#include file="include/loginGlobals.asp"--> 
                      <!--#include file="include/hashSHA1.asp"--> 
                      <!--#include file="include/form_token.asp"--> 
                      <!--#include file="include/generalPurpose.asp"--> 
                      <!--#include file="include/paramSQL.asp"--> 
                      <!--#include file="include/CDOMailInclude.asp"--> 
                      <!--#include file="include/change-password.asp"--> 
                      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
                      <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 
                      
                      <head> 
                      <title>HTML & DOM Tips And Tutorials</title> 
                      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
                      </head> 
                      
                      <body> 
                      <div id="topmenu">...</div> 
                      <div id="banner">...</div> 
                      <div id="mainmenu">...</div> 
                      <div id="middle"> 
                        <div id="content"><!--#include file="include/change-password-markup.asp"--></div> <!--content--> 
                      </div> <!--nav--> 
                        <div id="right">...</div> 
                      </div> <!--middle--> 
                      
                      </body> 
                      </html>

Open in new window


You now have a change_password.asp page.

Summary

In Article 1 I introduced the Login System and demonstrated how to create the login page, very nearly, "Plug and Play." In Article 2 I explained the design considerations and security measures taken to avoid XSS, CSRF, SQL Injection, and Session Fixation vulnerabilities; which according to MITRE, SANS and OWASP plague websites still.

In this article I discussed how to set up your database, obtain the correct code for your environment, copy the files to your website, configure the system using the global configuration file, and merge the code from the example pages into your web pages.

You have a good start on having a secure and robust authentication and authorization system. You still have more pages to merge, but it is just cut and paste.

As mentioned at the beginning of this article, you can use the library files from this project in other places in your web site. For example, if you already have a database and are executing dynamic queries on unfiltered form data, you now have the tools to lock those potential vulnerabilities out of your web site. And you might as well add an anti-CSRF token to that form while you're at it.

I hope you are able to put this Login System to good use on your site.

Thanks for your patience as I explained how this project came together and how you can benefit from its resulting code.

Regards,
Rod
3
2,042 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.