Authentication to a website via two arduinos

Hi,
Thanks in advance for any help this receives.

I have two setups consisting of and Arduino UNO and Ethernet v2 Shield (from arduino.org, uses the Ethernet2 library not the standard Ethernet one, Arduino - Home)
These are then hooked up to an adafruit fingerprint sensor (Fingerprint sensor : ID 751 : $49.95 : Adafruit Industries, Unique & fun DIY electronics and kits) to validate the users.
Im having an issue with the server side validation of the users, it doenst matter as such who the users are as long as two validate within a set time period, I have tried to do this on the server side and have come to the conclusion that I do not have the requisite programming knowledge. Below is some pseudo code for the approach I am asking for help about:

when setup1 receives timeStamp2

timer = 10secs

	while timer !=0 {
	
		valid = timeStamp1-timeStamp2
		if (valid = +/-10) {
			
			send flag (could be 1) to website
		
		}


	}


Server:

	Valid = $_GET['valid']

	if (valid == 1) {
		
		send user to loggedin.php 
					  
	}

The rest of the code is as an attachment due to length restrictions

I have included sections of code that were from previous implementation attempts in order to give an idea of approaches already attempted.

The server is an ubuntu 14.04 server running apache2, php5, ntp and mysql, it is a virtual machine running on vmware workstation.
As of this moment the code above queries the server for the unix time (the way I am attempting to work out whether the user has authenticated withing a set time) then for connectivity tests pulls back the index page. from here when a user authenticates the ethernet shield sends the variable to the server.

Any suggestions are much appreciated.

If you require any other information or would like specific details posted please let me know and I will reply asap.

Setup-One.ino (8.68 KB)

I dont 100% follow.. (so lets get some conversation going)

1.) Are these UNO's connected to the same fingerprint scanner? or each has their own? And they EACH have their own Ethernet Shied....yes?

In my mind.. this is a simple PHP solution..

• Uno #1 logs an attempt (saves timestamp [and whatever else may be needed] to a database..
• Uno #2 logs an attempt (saves the above.. but also checks the timestamp of entry #1 above to see if its 'with-in the time allowed'.. and does what you based on a failed or success response)

xl97:
1.) Are these UNO's connected to the same fingerprint scanner? or each has their own? And they EACH have their own Ethernet Shied....yes?

There are two seperate setups, each with their own arduino, ethernet shield and fingerprint scanner.

xl97:
In my mind.. this is a simple PHP solution..

• Uno #1 logs an attempt (saves timestamp [and whatever else may be needed] to a database..
• Uno #2 logs an attempt (saves the above.. but also checks the timestamp of entry #1 above to see if its 'with-in the time allowed'.. and does what you based on a failed or success response)

This was my initial approach, however I don't have a good enough grasp of PHP to make it work, I had the server receiving the variable but nothing was being entered to the database, I tried multiple ways of entering the data using PDO as well as prepared statements with the variable substituted in.

I also had the issue of how to trigger the check or do it dynamically from the server side.

Hi-

I can probably help with the PHP side of things...

but lets clarify that a bit..

*(understood, about two separate systems) = good to know!

ok.. so you 'authenticate' (ie: you walk up to fp scanner and attempt to 'log in')

this should do.... what?

just log an 'attempt to authenticate' in the DB....

• timedate stamp
• fp 'id' of the person attempting to 'log in'? (not sure how this value is sent from the fp scanner? I'm guessing you have this all figured out? what format is it? text? alpha-numeric? hash?).. some sort of repeatable/unique 'id' is sent though?

then........what?

(I'm missing the connection between authentication attempt #1 and #2?)

someone needs to 'log-in' at station #2.. within a certain time frame?.. (for what to happen at that time?)

Also.. I'm not clear what you mean by this?

I also had the issue of how to trigger the check or do it dynamically from the server side.

How are you sending the data to the .php script?

$_POST?
$_GET?

(sending values in url/query string for php script to out and send to database? and do some conditional checking?)

xl97:
ok.. so you 'authenticate' (ie: you walk up to fp scanner and attempt to 'log in')

this should do.... what?

So what this should do is say that a valid user has authenticated, for the moment I'm not worried about who it was but rather when.

The idea is that for a user to gain access to the website, two valid prints must be scanned within a set period of time, say 10 seconds.

xl97:

• timedate stamp
• fp 'id' of the person attempting to 'log in'? (not sure how this value is sent from the fp scanner? I'm guessing you have this all figured out? what format is it? text? alpha-numeric? hash?).. some sort of repeatable/unique 'id' is sent though?

At the moment I am attempting to send a $_GET request shown below:

client.print("GET /addStamp.php?");
      client.print("timeStamp1=");
      client.print(timeStamp1);
      client.println(" HTTP/1.1");
      client.print("HOST: ");
      client.println("192.168.150.14");
      client.println("User-Agent: Arduino");
      client.println("Accept: text/html");
      client.println("Connction: close");
      client.println();

Note this is the code for when I was attempting to store a value in the database, to then be pulled and compared when a value for each had been entered. I have also added the $_POST request that I had tried below:

      client.println("POST /addStamp.php HTTP/1.1");    
      client.println("Host: 192.168.150.14");
      client.println("User-Agent: Arduino/1.0");
      client.println("Connection: close");
      client.println("Content-Type: application/x-www-form-urlencoded;");
      client.print("Transfer-Encoding: chunked");
      client.println(sizeof(timeStamp1));    
      //client.println(); 
      client.println(timeStamp1);

xl97:
then........what?

(I'm missing the connection between authentication attempt #1 and #2?)

someone needs to 'log-in' at station #2.. within a certain time frame?.. (for what to happen at that time?)

---

So scanner 1 and scanner 2 need to send a timestamp to the server within a set period of time, again not so much worried about false attempts they are ignored for the moment.
When a valid print for 1 and 2 has been scanned it should log the user in. In the case of this it would send the user to a page called loggedin.php.

xl97:
Also.. I'm not clear what you mean by this?

How are you sending the data to the .php script?

$_POST?
$_GET?

(sending values in url/query string for php script to out and send to database? and do some conditional checking?)

Data is currently being sent via a $_GET request although as I've posted above I have also tried $_POST, I know that the server is getting the $_GET request (see attached sceenshot).

Once the server has recieved two valid prints (in the form of two timestamps) it would then allow access to the website (send to loggedin.php).

I hope this helps clear things up.

ArduinoSetup1ToServer.jpg817×53 20.4 KB

A few comments on your HTTP implementation:

First, I recommend you stick with "GET" instead of "POST". It's simpler to implement, easier to debug, and you don't have such a volume of data you're sending that would require the POST method.

Sending a "Host: " header with an IP is non-sensical. The value you send with the Host header should be a name ("www.mysite.com") and would be matched to a ServerName directive within a in your Apache configuration.

If you send the request as "HTTP/1.0" instead of "HTTP/1.1" you can completely drop the "Host: " line and the "Connection: close" line. Those headers are required with HTTP/1.1 but optional with HTTP/1.0. Also note that you misstyped "Connction" in your GET example -- possibly the source of your problems there but I'm not sure Apache would error on that or not.

So, as a complete example, this is all you need:

    client.print("GET /addStamp.php?");
      client.print("timeStamp1=");
      client.print(timeStamp1);
      client.println(" HTTP/1.0");
      client.println();

Keep it simple; skip the User-Agent and other stuff unless you have a clever reason to use it.

Okay thanks for that, I have implemented this as well as altering the code for the new request I am trying to implement (Following the pseudo code in my original post).

I haven't gotten round to doing much of the server side code as of yet but will keep your suggestions of using "GET" over "POST"

I'll break out my Ethernet Shield this weekend.. and give it a go..

I'll post the .php side of things well..

(not sure what version my Ethernet Shield is though.. if that even matters)

xl97:
I'll break out my Ethernet Shield this weekend.. and give it a go..

I'll post the .php side of things well..

Great cheers any help is greatly appreciated.

xl97:
(not sure what version my Ethernet Shield is though.. if that even matters)

It shouldn't matter overly much, just a different library used so changes a couple of bits of syntax, I should be fine adapting anything.

ok...

also.. your doing this 'locally'......correct?

(ie: using LAMP/WAMP/Manual install...etc)?

or are you 'going out' to the 'web' and then coming back to some external IP..that (port) forwards?

(looks to be the former, (as it looks like an internal IP address in your $_POST example)..but I wanted to double check)

xl97:
also.. your doing this 'locally'......correct?

(ie: using LAMP/WAMP/Manual install...etc)?

Yeah everything has been set up locally, manual install of an ubuntu server with the packages I mentioned earlier.

Sorry for the delay in response..

I had to dig out my old Ethernet shield..

as well as work through some WAMP settings (was getting 403/Forbidden errors..etc)

Your LAMP setup/configuration might differ? (or be already working correctly)

I have that all sorted..

and have an ethernet shield example working..

where if I press a button (ie: simulating the fingerprint scanner process).. it will log an entry in to a MySQL database using a php script)

So now I get into the 'meat -n- potatoes' of what you need done (server side).

basically if there is a log entry attempted.. it should check to see if any other log entry has happened (within the last 15 seconds).

if yes.. route them to a new page?

(I guess thats the part I'm not clear on).. (and probably my lack of experience here).

but you arent really using a 'browser' to re-direct?

I mean I see a response from my PHP page in the serial monitor telling me the logging was successful.. (and I see the timestamp/info in my database as well)

I suppose I could then redirect/forward over to a new page.. and echo out some more data... but I'm not 100% clear on what this will do? (or do different then a response from the current .php script?)

xl97:
basically if there is a log entry attempted.. it should check to see if any other log entry has happened (within the last 15 seconds).

if yes.. route them to a new page?

That is the aim , I'm not sure on how this is achievable, I thought about sessions but again not had a huge amount of experience with them so not sure if you could pass the session to the script (at addStamp.php on page load?) and then when verified it would redirect the specific session?

xl97:
I mean I see a response from my PHP page in the serial monitor telling me the logging was successful.. (and I see the timestamp/info in my database as well)

Okay this is something that I haven't managed to get implemented but I though would be the first step to then verifying the login attempt.

xl97:
I suppose I could then redirect/forward over to a new page.. and echo out some more data... but I'm not 100% clear on what this will do? (or do different then a response from the current .php script?)

I tried sending a variable of 1 if the log on was successful (going back to the original pseudo code in the first post) and manually entered this value.

But the obvious problem was that the page wouldn't be able to redirect the user on the page because that page didn't specifically call the script (script called by arduino not user on index.php) as would normally happen when passing between pages, the only solution I can think of is sessions, and a user gets a session on load and sends that to the script addStamp, this however seems very very convoluted and I'm not sure it would even work.

I'm still not clear.

So.. use puts finger on scanner..

Arduino send this data to the php script, which in turn does:

• it logs an entry to the database, and then

• checks to see if there was a another 'log entry' made with in the last 1 minute (or whatever).

• all the while, it is returning data back to the Arduino (success, fail.. on log entry.. and then if access was granted or denied based on any previous log entries made within that allowed time)

*I have added the timestamp checking/comparison to the php file now..

my disconnect here is what is supposed to happen? I dont follow your last paragraph.

What is supposed to happen when re-directed?

What is this next page supposed to 'do' for the user? What is the purpose?

Its not a browser.. you dont see 'visuals' displayed in a browser window or anything.

Can the Arduino even work with $_SESSION data? (Isnt that for browsers?)

I mean.. Im pretty sure you can parse the response back form the php page, and set some variables based on it.. but again.. whats the purpose?

So lets walk through your scenario again..

if its successful.. you want a 1 returned.. if not..? a zero (0)?

And then what?

You get this 'response'.. and.....?

What? You want the Arduino to call/load/connect to a NEW php page/script... that does what exactly??

xl97:
I'm still not clear.

my disconnect here is what is supposed to happen? I dont follow your last paragraph.

What is supposed to happen when re-directed?

What is this next page supposed to 'do' for the user? What is the purpose?

It is supposed to redirect the user to a static page on a web server (loggedin.php) which is run off the ubuntu 14.04 virtual machine.

The program is supposed to test the feasibility of creating a system that will log a user in to a website using their biometric signature (in this case fingerprint).

Later down the line I'll implement a proper system for logging a user in, likely using dual factor, one a simple username password but then also link in the fingerprint scanner setup as well.

However for now I'd like the system to use two scanners to 'log someone in', for now this can be a simple redirect to a different page. Extra functionality will be added once this is sorted.

The idea I had with sessions was within the php itself on the server so that someone who loads the site gets assigned a session and then use this to log them in, again this was just an idea that I haven't managed to look into much for the actual redirection of the user.

The last paragraph was just my reasoning why the server would not be able to redirect a user from the index page to the logged in page because the user does not actually send anything to the addStamp script (this is done by the Arduino when a user authenticates) and as such how could addStamp redirect a user on the index page after it detects a successful attempt to log in.

Hope that clears it up a little.

So you're not opening a door or firing a missile, you are sitting at a PC looking at a website which requires two fingerprints instead of a password?

The simple way to do that would be to have the fingerprint scanner(s) plugged into the computer by USB and then the browser could send the fingerprint data as part of the page request. The problem with that is the browser has very limited access to the hardware of the PC. If the browser could open a connection to a USB device then hackers would be able to turn on the camera on the PC without your knowledge.

So you have two Ethernet shields. How would the server know that those two shields are even in the same room as the PC looking at the web page? That's a tough one.

MorganS:
So you're not opening a door or firing a missile, you are sitting at a PC looking at a website which requires two fingerprints instead of a password?

Yes I am trying to make a log in system that would require two fingerprints.

MorganS:
The simple way to do that would be to have the fingerprint scanner(s) plugged into the computer by USB and then the browser could send the fingerprint data as part of the page request. The problem with that is the browser has very limited access to the hardware of the PC. If the browser could open a connection to a USB device then hackers would be able to turn on the camera on the PC without your knowledge.

As is in the attached code, I have a GET request that sends the time (unix) at which the fingerprint was authenticated.

MorganS:
So you have two Ethernet shields. How would the server know that those two shields are even in the same room as the PC looking at the web page? That's a tough one.

The point is that it shouldn't need to, this system could be implemented with the scanners positioned anywhere in the world, for the purposes of testing there is only one user and the setups are connected to the same network, however the system could be employed to secure a system where two parties could authenticate to a website (or any system that has web connectivity), as of this moment this is a proof of concept study.

Web security is hard. Realy truly mind-bendingly hard.You have to assume that everyone is hacking into your website at a rate of tens of thousands of requests per second. If you accept two fingerprints without checking that the fingerprints are related, then what security do you really have?

Let's say that me, my mother and my two sisters share access to this supposed website. Any two of the four fingerprints logs us in. So if I want to show the web page on my PC here, I have to call one of my sisters to have her swipe her finger. OK, good so far. But my mother just called my other sister and asked her to swipe her finger too. Which one of us sees the web page on our PC? How does the system know that it should be displaying on my PC and not the sister who swiped first?

OK, so you want only two fingerprints, not four. Lets remove the sisters from the access list. I swipe, then my mother swipes, and one of us can now log in. The website is open and unprotected during those few seconds. A hacker can step in and grab our login session. You think this is rare? I think it will happen in the first week that your system is live on the internet.

You do make a very good point and it has been considered, however as stated in the previous post this is a proof of concept, not a final product and as such is being used to test feasibility from a technical perspective and not from a real world application perspective, obviously if this were to be implemented then robust security measures need to be implemented and the log in process locked down to reduce the likelihood (as it is impossible to fully negate the risk of cyber attacks) of an incursion, hence the comment I made in an earlier post about dual factor authentication being a possible avenue of inquest in order to determine a more secure way of carrying out the proposed concept, yet again however at this moment in time I need to be able to implement an insecure version as proof that it can be done before this can be carried forward.

I'm not sure then to be honest.

it seems to like to separate tasks..

and without having your 'web page' (this is an HTML/PHP page that you create that is hosted on your LAMP set up, nothing to do with the Arduino stuff).. to keep 'polling' for an update in the database or something..

I'm not sure how an outside influence (ie: the Arduino/PHP/database stuff) can effect or 'push' an existing page that is being viewed in a browser..

now if the page itself was maybe hosted ON the Ethernet shield (probably doable, I havent looked into it, I know its done on the ESP8266 (wi-fi) module a lot)..

then maybe...

but I think you need to look at things differently then.

Its almost like you need the ethernet shield to be both client & server..

The 'web page' sounds like it may need to be hosted on the ethernet shield.. and the browser pointed to 'that' IP/page.. (so you can have control over it from the Arduino side of things)

but you also need to 'reach out' and dump data to an external .php script to log the info to the database, and return a pass/fail result..

and which point the Ethernet shield/Arduino would update the 'page' it is serving to the browser that is connected to it.

the apache/php/mysql side of things is only going to be used to:

1.) have a place to create a database (this could be 'cloud based'..ie: on a domain on the internet, not local)
2.) have a place to execute a .php script to make an entry into the database and do some timestamp checking. (again this could be cloud based, or run on a 'live' domain)...

which seems to be the opposite of what you are doing currently? (which is having the web page hosted on the LAMP install..etc)

you could do things this way.... but there is no real 'connection' between when a user gives the 'print' and the Arduino does it things, reaches out to the .php script to make an entry in the DB...

and what the user will be seeing in a 'browser' on a PC, in front of them..

there would need to be some 'behind the scenes' AJAX/polling solution that checks for (whatever) to see if it needs to update its page with a new message (or whatever it you need to do)..

but that means this 'page' in the browser would just be constantly be checking for a 'change' (somewhere) to then update the page in the browser to show a result..

(which I dont think you want)

If you need help trying things the new way.. let me know.

Whipping up an example to dump to .php/mysql was fun for me.

maybe the server one wont be so bad either....but nto sure about how easy it will be to flip/flop between setting things up as a server to display a page: "please user fingerprint scanner below"..

then swap to a being a 'client' so it can connect to an IP (WAMP/LAMP install).. dump data to a php script, save to database, do some timestamp checking....

then based on the results above..

flip the shield back into a 'server' to display the results on a page in the browser that directed the user to use the fingerprint scanner...