Skip to content
This repository

Authentication security projects for a later date

  • Track ‘failed logins this hour’ and demand a captcha after say 5 failed logins
    (RECAPTCHA plugin.)
    in which case we’d better recommend “De-proxy-ficating IP address”: http://wiki.codemongers.com/NginxHttpRealIpModule
  • Make cookie spoofing a little harder: we set the user’s cookie to
    (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
    spoofer has to then at least also spoof the user’s originating IP
    (see Secure Programs HOWTO)
  • Log HTTP request on authentication / authorization failures (see here )
Something went wrong with that request. Please try again.