Final Requirements
Following is the description of the Final Project as received from the instructor, Bruce Linn.
COIN94 Summer 2004
Final Assignment
Due: August 5th, 2004
Your final assignment uses the following two textbook example programs as the starting point:
You will make modifications and additions to these two programs in order to add the new functionality detailed below. For each of the new requirements you will need to add, there are examples in the textbook that you can refer to and model your solutions upon. I've included references to these relevant textbook examples for you.
I. Add a login and authentication procedure to the Customer Details form.
Currently example.8-5.php presents a Customer Details form that allows the user to create a new customer. You will modify this form to allow an existing customer to identify themselves with a username and password. If they successfully log in, you will retrieve their existing customer record information and allow them to edit and update their customer record. Specifically, your program must:
Ia. Manage a username and password for each customer record.
You can use the Email/Username field that's already being collected as the username, but you'll need to add a password field. The password information should be encrypted in the database table.
Ib. Create a separate login form for authentication.
This login form precedes the Customer Details form - the login form allows an existing customer to log in, and also has a "new customer" button that invokes the Customer Details form for new customer to create an account.
Ic. Use sessions for your authentication system:
The user authentication function must be implemented using a database driven, session based authentication scheme.
What does it mean to have a "database driven authentication scheme"? You must store and manage the username/password information in a MySQL database
What does it mean to have a "session-based authentication scheme"? You must use PHP sessions to keep track of whether a user has been authenticated or not.
For example, whenever the Customer Details form is called, it first checks to see if an the current client has successfully been authenticated (that is, has the user successfully logged in). If so, then that user's customer record is retrieved. The Customer Details form must do this by looking at session variables that the login form has set during the authentication process.
--See example.9-6 and example.9-7. in Chapter 9 "Authentication and Security" of the textbook.
--Also see example.9-8, example.9-9, example.9-10, and example.9-11 for a more detailed example set.
Id. User Functionality of your authentication system:
--If an existing user successfully logs in, the Customer Details form is called, and the correct customer record is retrieved for editing in the Customer Details form.
--If the user fails to log in successfully three times, then the user session is destroyed, and the user receives a "failed to login" message.
--When a new customer is added with the Customer Details form, this new user is added to the database authentication system, and the user receives a confirmation that a new account as been successfully created.
II. Add client-side validation (javascript) to the Customer Details form.
Currently example.8-4.php provides server-side validation for all the Customer Details form fields. You will add client-side, field-at-a-time validation to these form fields. (You will be adding client-side validation, not removing the server-side validation - when you are done you will have both client-side and server-side validation in place).
IIa. Add javascript validation routines that validate the Customer Details form. This validation should validate each field as the user exits the field (field-at-a-time validation).
IIb. Report any validation error as soon as it is detected.
Display an error message located near the field containing the invalid entry. The field itself should be given focus so that the user can reenter the field data. You may clear the field, highlight the invalid entry - whatever you think provides the best user experience.
III. Preventing Session Hijackings.
Once you have implemented your session based authentication, make the following improvements to guard against session hijackings:
IIIa. Modify your authentication process to record the IP address of the client browser when the user logs in.
IIIb. Check all subsequent requests in a given session to make sure that the requesting IP address has not changed. If it has changed, report the error, destroy the session, and exit the program.
IV. EXTRA CREDIT: Managing Session Information in MySQL
(Refer to Appendix D of the textbook)
Rather than using the PHP default of managing session information in disk files, modify your system to manage the session information within MySQL database tables.
Model your solution closely after the examples in Appendix D. There are several steps and routines that you need to follow and build, but it is actually a straight forward set of tasks.
When you are done your program should behave exactly the same from a user perspective - the underlying changes to session management should be completely transparent to the Customer Details and Login forms.
COIN94 Summer 2004
Final Assignment
Due: August 5th, 2004
Your final assignment uses the following two textbook example programs as the starting point:
- example.8-4.php
- example.8-5.php
You will make modifications and additions to these two programs in order to add the new functionality detailed below. For each of the new requirements you will need to add, there are examples in the textbook that you can refer to and model your solutions upon. I've included references to these relevant textbook examples for you.
I. Add a login and authentication procedure to the Customer Details form.
Currently example.8-5.php presents a Customer Details form that allows the user to create a new customer. You will modify this form to allow an existing customer to identify themselves with a username and password. If they successfully log in, you will retrieve their existing customer record information and allow them to edit and update their customer record. Specifically, your program must:
Ia. Manage a username and password for each customer record.
You can use the Email/Username field that's already being collected as the username, but you'll need to add a password field. The password information should be encrypted in the database table.
Ib. Create a separate login form for authentication.
This login form precedes the Customer Details form - the login form allows an existing customer to log in, and also has a "new customer" button that invokes the Customer Details form for new customer to create an account.
Ic. Use sessions for your authentication system:
The user authentication function must be implemented using a database driven, session based authentication scheme.
What does it mean to have a "database driven authentication scheme"? You must store and manage the username/password information in a MySQL database
What does it mean to have a "session-based authentication scheme"? You must use PHP sessions to keep track of whether a user has been authenticated or not.
For example, whenever the Customer Details form is called, it first checks to see if an the current client has successfully been authenticated (that is, has the user successfully logged in). If so, then that user's customer record is retrieved. The Customer Details form must do this by looking at session variables that the login form has set during the authentication process.
--See example.9-6 and example.9-7. in Chapter 9 "Authentication and Security" of the textbook.
--Also see example.9-8, example.9-9, example.9-10, and example.9-11 for a more detailed example set.
Id. User Functionality of your authentication system:
--If an existing user successfully logs in, the Customer Details form is called, and the correct customer record is retrieved for editing in the Customer Details form.
--If the user fails to log in successfully three times, then the user session is destroyed, and the user receives a "failed to login" message.
--When a new customer is added with the Customer Details form, this new user is added to the database authentication system, and the user receives a confirmation that a new account as been successfully created.
II. Add client-side validation (javascript) to the Customer Details form.
Currently example.8-4.php provides server-side validation for all the Customer Details form fields. You will add client-side, field-at-a-time validation to these form fields. (You will be adding client-side validation, not removing the server-side validation - when you are done you will have both client-side and server-side validation in place).
IIa. Add javascript validation routines that validate the Customer Details form. This validation should validate each field as the user exits the field (field-at-a-time validation).
IIb. Report any validation error as soon as it is detected.
Display an error message located near the field containing the invalid entry. The field itself should be given focus so that the user can reenter the field data. You may clear the field, highlight the invalid entry - whatever you think provides the best user experience.
III. Preventing Session Hijackings.
Once you have implemented your session based authentication, make the following improvements to guard against session hijackings:
IIIa. Modify your authentication process to record the IP address of the client browser when the user logs in.
IIIb. Check all subsequent requests in a given session to make sure that the requesting IP address has not changed. If it has changed, report the error, destroy the session, and exit the program.
IV. EXTRA CREDIT: Managing Session Information in MySQL
(Refer to Appendix D of the textbook)
Rather than using the PHP default of managing session information in disk files, modify your system to manage the session information within MySQL database tables.
Model your solution closely after the examples in Appendix D. There are several steps and routines that you need to follow and build, but it is actually a straight forward set of tasks.
When you are done your program should behave exactly the same from a user perspective - the underlying changes to session management should be completely transparent to the Customer Details and Login forms.