Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 16 lines (10 sloc) 0.756 kb
c394d99 Organized notes
Philip (flip) Kromer authored
1
2 h3. Authentication security projects for a later date
3
4
5 * Track 'failed logins this hour' and demand a captcha after say 5 failed logins
6 ("RECAPTCHA plugin.":http://agilewebdevelopment.com/plugins/recaptcha)
7 "De-proxy-ficate IP address": http://wiki.codemongers.com/NginxHttpRealIpModule
8
9 * Make cookie spoofing a little harder: we set the user's cookie to
10 (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
11 spoofer has to then at least also spoof the user's originating IP
12 (see "Secure Programs HOWTO":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html)
13
14 * Log HTTP request on authentication / authorization failures
15 http://palisade.plynt.com/issues/2004Jul/safe-auth-practices
Something went wrong with that request. Please try again.