Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

16 lines (10 sloc) 0.756 kb
h3. Authentication security projects for a later date
* Track 'failed logins this hour' and demand a captcha after say 5 failed logins
("RECAPTCHA plugin.":http://agilewebdevelopment.com/plugins/recaptcha)
"De-proxy-ficate IP address": http://wiki.codemongers.com/NginxHttpRealIpModule
* Make cookie spoofing a little harder: we set the user's cookie to
(remember_token), but store digest(remember_token, request_IP). A CSRF cookie
spoofer has to then at least also spoof the user's originating IP
(see "Secure Programs HOWTO":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html)
* Log HTTP request on authentication / authorization failures
http://palisade.plynt.com/issues/2004Jul/safe-auth-practices
Jump to Line
Something went wrong with that request. Please try again.