Login

This demo shows an example of a web site log in mechanism

How the Log In Works

First, a set of users and passwords are stored in a MySQL database. The passwords are stored in the clear (not hashed). This is insecure but sufficient for this demo.

When a user visits the login page they enter a username and password in a form. The values are submitted to the web server that then compares them with the values in the database. If the values match, then the user is logged in.

Of course once logged in, the user should not have to login for subsequent accesses. Therefore upon login, the web server creates a cookie and sends back to the web browser. On each subsequent access, the browser sends the cookie and the server checks that the values are correct for this user (without accessing the database). The cookie contains two values:

  1. Username
  2. Hash of username and a secret value

The secret value is common for the website. When the cookie is sent to the web server, the server checks if the hash value submitted is the same as the hash of the username and secret value. The idea is that if an attacker wanted to pretend to be a logged in user, although they could guess/find the username, they must also have the correct hash value, and for that, they need to know the secret value. But they don't know the secret value because it is secret! (known only to the web server, not to any users). This implementation means that the server only needs to check the credentials in the database upon login, not upon each page access. It's quite fast.

Using This Demo

The login mechanisms allows the web server to serve different pages to logged in (authenticated users) vs unauthenticated users. Once logged in, there is a 'private' page only accessible to authenticated users. See if you can access this page without logging in!

Return to demo