TODO at ac4bcb0ee91b0ef4bcd6f9c06f083b38dbf8e3d3 from dcrec1's restful-authentication-i18n

dcrec1 / restful-authentication-i18n

233

Fork of technoweenie/restful-authentication
Description:	Generates common user authentication code for Rails with support for i18n, a full rspec suite and optional Acts as State Machine support built-in edit
Homepage:	http://www.mouseoverstudio.com/blog/ edit
Public Clone URL:	git://github.com/dcrec1/restful-authentication-i18n.git Give this clone URL to anyone. `git clone git://github.com/dcrec1/restful-authentication-i18n.git`
Your Clone URL:	git@github.com:dcrec1/restful-authentication-i18n.git Use this clone URL yourself. `git clone git@github.com:dcrec1/restful-authentication-i18n.git`

updated to support Rails 2.3.2

dcrec1 (author)

Tue Mar 24 15:19:47 -0700 2009

commit ac4bcb0ee91b0ef4bcd6f9c06f083b38dbf8e3d3
tree 95997dac874daabdb18fdf1f64449c84f201abb2
parent 2884f0a395a1d1ccd1211c9cb03b2b6f101be595

restful-authentication-i18n / TODO

100644 16 lines (10 sloc) 0.756 kb

raw blame history

 
h3. Authentication security projects for a later date
 
 
* Track 'failed logins this hour' and demand a captcha after say 5 failed logins
  ("RECAPTCHA plugin.":http://agilewebdevelopment.com/plugins/recaptcha)
  "De-proxy-ficate IP address": http://wiki.codemongers.com/NginxHttpRealIpModule
 
* Make cookie spoofing a little harder: we set the user's cookie to
  (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
  spoofer has to then at least also spoof the user's originating IP
  (see "Secure Programs HOWTO":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html)
 
* Log HTTP request on authentication / authorization failures
  http://palisade.plynt.com/issues/2004Jul/safe-auth-practices