johnreilly / restful-authentication forked from technoweenie/restful-authentication

Generates common user authentication code for Rails/Merb, with a full test/unit and rspec suite and optional Acts as State Machine support built-in.

This URL has Read+Write access
mrflip (author)
Thu Sep 04 21:39:55 -0700 2008
commit  5846e652407eb26f54f85062cd4fe5cda68daf61
tree    4e20ea802dc2be505dfd3f5e2eb3a96395473eed
parent  b23f6ef47355ffe1882bef283d5dcf499b38111d
100644 16 lines (10 sloc) 0.756 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

 
h3. Authentication security projects for a later date
 
 
* Track 'failed logins this hour' and demand a captcha after say 5 failed logins
  ("RECAPTCHA plugin.":http://agilewebdevelopment.com/plugins/recaptcha)
  "De-proxy-ficate IP address": http://wiki.codemongers.com/NginxHttpRealIpModule
 
* Make cookie spoofing a little harder: we set the user's cookie to
  (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
  spoofer has to then at least also spoof the user's originating IP
  (see "Secure Programs HOWTO":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html)
 
* Log HTTP request on authentication / authorization failures
  http://palisade.plynt.com/issues/2004Jul/safe-auth-practices