Vain teksti | Teksti ja kuvat

Simple Machines Community Forum

General Community => Scripting Help => Aiheen aloitti: Thunderace - joulukuu 24, 2007, 10:30:11 AP

Otsikko: Secure log in script - [Not SMF Related]
Kirjoitti: Thunderace - joulukuu 24, 2007, 10:30:11 AP
Hi guys

I'm writing myself a new secure (hopefully) log in script and I was wondering if you think I have missed anything or could improve anything.

The log in $_POST

I redirect this to a script and back again to lose the browser "back button" log in by legacy $_POST.

Off site scripting

The log in $_POST sets a unique token which is set in the $_POST as well as $_SESSION then the two are compared for validity when the $_POST is redirected to the handling file.

SQL injection

A simple function only allowing alphanumeric and _ (underscore) - (hyphen) . (dot)

Koodi [Valitse]
function mysql_prepare_input($input) { // No characters allowed other than alphanumeric and _ (underscore) - (hyphen) . (dot)
  $input = preg_replace("/[^a-zA-Z0-9 _.-]/i", "", $input);
  $input = mysql_real_escape_string($input); // Surely we have already done this but .. wont hurt :)
  return $input;
}

Brute force
A failed log in sets in the DB a time and failure count based on IP.

1 failure you have to wait 15 secs to try again
2 failures 20 secs
3 failures 30 secs
4+ 1 hour

What do you think? did I miss anything?
Otsikko: Re: Secure log in script - [Not SMF Related]
Kirjoitti: SleePy - joulukuu 30, 2007, 05:44:16 IP
Looks fine..
Otsikko: Re: Secure log in script - [Not SMF Related]
Kirjoitti: karlbenson - joulukuu 30, 2007, 05:48:21 IP
If your really worried about brute force and your protecting something valuable.

You could try setting a maximum number of attempted login sessions per hour.

That way if someone tries brute forcing through multiples proxies or bot-nets, it will prevent further logins.
Maybe even have it send out an email to the admins to make them aware.
Otsikko: Re: Secure log in script - [Not SMF Related]
Kirjoitti: Thunderace - tammikuu 01, 2008, 05:40:58 AP
Lainaus käyttäjältä: karlbenson - joulukuu 30, 2007, 05:48:21 IP
If your really worried about brute force and your protecting something valuable.

You could try setting a maximum number of attempted login sessions per hour.

That way if someone tries brute forcing through multiples proxies or bot-nets, it will prevent further logins.
Maybe even have it send out an email to the admins to make them aware.

This is a good idea karlbenson .. thanks ..

The IP based system was worrying me as few internet users actually have a dedicated IP and as you mentioned the real brute force threat is multiples proxies or bot-nets.

I think I'll add an ip based "lockout" at 5 attempts

1 failure you have to wait 15 secs to try again
2 failures 20 secs
3 failures 30 secs
4 1 hour
5 LOCKOUT

And perhaps an overall login lockup if over 30 attempts (or something) in one hour.

Thanks for the responses guys.

Vain teksti | Teksti ja kuvat