mrflip edited this page Aug 17, 2010 · 1 revision

Authentication security projects for a later date

  • Track ‘failed logins this hour’ and demand a captcha after say 5 failed logins
    (RECAPTCHA plugin.)
    in which case we’d better recommend “De-proxy-ficating IP address”:
  • Make cookie spoofing a little harder: we set the user’s cookie to
    (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
    spoofer has to then at least also spoof the user’s originating IP
    (see Secure Programs HOWTO)
  • Log HTTP request on authentication / authorization failures (see here )