zachinglis / restful-authentication forked from technoweenie/restful-authentication

Generates common user authentication code for Rails/Merb, with a full test/unit and rspec suite and optional Acts as State Machine support built-in.

This URL has Read+Write access

Polished the README to talk about the HAML flag
zachinglis (author)
Tue Jun 24 06:18:33 -0700 2008
commit  c4131241100e15b0b715766b955c6a7d8e16427a
tree    5d8e26121266153834b1b1a6f3f32afd1b4e35b3
parent  e627e2e5ea40e638ac3cd8f24cb242500cbf414b
100644 16 lines (10 sloc) 0.756 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

 
h3. Authentication security projects for a later date
 
 
* Track 'failed logins this hour' and demand a captcha after say 5 failed logins
  ("RECAPTCHA plugin.":http://agilewebdevelopment.com/plugins/recaptcha)
  "De-proxy-ficate IP address": http://wiki.codemongers.com/NginxHttpRealIpModule
 
* Make cookie spoofing a little harder: we set the user's cookie to
  (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
  spoofer has to then at least also spoof the user's originating IP
  (see "Secure Programs HOWTO":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html)
 
* Log HTTP request on authentication / authorization failures
  http://palisade.plynt.com/issues/2004Jul/safe-auth-practices