LESSON6-COOKIES&ACCESSCONTROL Flashcards
are small pieces of data stored on the client’s browser, used to
remember information between requests.
Cookies
cookies are managed using the ______ function
setcookie()
allows developers to store user preferences, session identifiers, and other data that need to persist across different pages or visits.
Cookies
an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.
Cross-site Request Forgery Attacksw
exploits a vulnerability in a web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent
Cross-site Request Forgery Attacks
is a critical aspect of web application security, determining what resources a user can access and what operations they can perform.
Access Control
are typically implemented using sessions, user authentication, and role-based authorization mechanisms.
Access Control
are used to maintain user state and data across multiple pages.
- Sessions
This is achieved through the ______ function, which initializes a session or resumes the current one based on a session identifier passed via a cookie or URL.
session_start()
Implementing _______ in PHP involves verifying user credentials (such as username and password) against stored data.
User Authentication
This involves defining roles (e.g., admin, editor, viewer) and assigning permissions to these roles.
Role-Based Access Control (RBAC)
PHP frameworks like
Laravel, Symfony, and CodeIgniter
are essential for maintaining state information between web pages and user sessions.
Cookies
To set a cookie in PHP, you use the ______ function. This function should be called before any output is sent to the browser, as it modifies the HTTP headers.
setcookie()
setting cookie syntax
setcookie(name, value, expire, path, domain, secure, httponly);
name: The name of the cookie.
value: The value of the cookie.
expire: The expiration time of the cookie in Unix timestamp format.
path: The path on the server where the cookie is available.
domain: The domain where the cookie is available.
secure: If true, the cookie is only sent over HTTPS.
httponly: If true, the cookie is accessible only through the HTTP protocol, not via JavaScript; prevents client-side scripts from accessing data
Accessing a cookie is done through the ____ global variable in PHP. Each cookie set by the server can be retrieved by referencing its name in this array.
$_COOKIE
To delete a cookie, you set it with an expiration date in the past. This effectively removes the cookie from the client’s browser.
setcookie(“user”, “”, time() - 3600, “/”);
“this is equivalent to 1hr”
is a method to ensure that users are who they claim to be by verifying their credentials, typically a username and password.
HTTP Authentication
PHP provides functions like password_hash() to create a secure hash of a password. This function uses strong, one-way hashing algorithms and includes built-in salting and stretching (adding computational work to slow down brute-force attacks).
Hashing
PHP provides functions like _______ to create a secure hash of a password.
password_hash()
function hashes the plaintext password using a secure one-way hashing algorithm.
password_hash()
is a constant parameter that uses the strongest algorithm currently available.
PASSWORD_DEFAULT
involves adding a random value (the salt) to a password before hashing it. This prevents attackers from using precomputed tables (rainbow tables) to crack the hashes.
Salting
PHP’s _______ () function automatically generates a salt\ and includes it in the resulting hash.
password_hash()
When a user attempts to log in, the stored hash must be compared to the hash of the provided password. This is done using the _______ function.
password_verify()
in PHP are used to store and manage user data across multiple pages, providing a way to maintain state information between HTTP requests. This is essential for creating a seamless user experience in web applications.
Sessions
To start a session in PHP, you use the _______ function. This function initializes a new session or resumes an existing one. It must be called at the beginning of your script before any output is sent to the browser.
session_start()
______ are used to store information to be used across multiple pages. These are used to let the web server know “who you are and what you do”.
Session variables
destroys all of the data associated with the current session; it destroys the whole session rather than destroying the variables
Session Destroy
session_destroy()
deletes only the variables from the session and the session still exists.
Session Unset
session_unset()
is crucial to prevent attacks like session hijacking and fixation. Some key practices include regenerating session IDs, using secure cookies, and validating session data.
Session Security
the malicious act of taking control of a user’s web session
Session Hijacking
an attack where an attacker gets the user to log in to an application using a specific session ID. When the user logs in to a web application using that ID, the attacker knows the victim’s valid session ID and can use it to access the user’s account.
Session Fixation
the address people type into a web browser when using the internet
Domain
an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website
Cross-site Scripting Attack (XSS)