Uutiset:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu
Advertisement:

Secure log in script - [Not SMF Related]

Aloittaja Thunderace, joulukuu 24, 2007, 10:30:11 AP

« edellinen - seuraava »
Tulosta
Siirry alas Sivuja1
Käyttäjän toimet

Thunderace

joulukuu 24, 2007, 10:30:11 AP Viimeisin muokkaus: joulukuu 25, 2007, 11:26:33 AP käyttäjältä Thunderace
Hi guys

I'm writing myself a new secure (hopefully) log in script and I was wondering if you think I have missed anything or could improve anything.

The log in $_POST

I redirect this to a script and back again to lose the browser "back button" log in by legacy $_POST.

Off site scripting

The log in $_POST sets a unique token which is set in the $_POST as well as $_SESSION then the two are compared for validity when the $_POST is redirected to the handling file.

SQL injection

A simple function only allowing alphanumeric and _ (underscore) - (hyphen) . (dot)

Koodi [Valitse]
function mysql_prepare_input($input) { // No characters allowed other than alphanumeric and _ (underscore) - (hyphen) . (dot)
  $input = preg_replace("/[^a-zA-Z0-9 _.-]/i", "", $input);
  $input = mysql_real_escape_string($input); // Surely we have already done this but .. wont hurt :)
  return $input;
}

Brute force
A failed log in sets in the DB a time and failure count based on IP.

1 failure you have to wait 15 secs to try again
2 failures 20 secs
3 failures 30 secs
4+ 1 hour

What do you think? did I miss anything?

SleePy

#1
joulukuu 30, 2007, 05:44:16 IP
Looks fine..
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

karlbenson

#2
joulukuu 30, 2007, 05:48:21 IP
If your really worried about brute force and your protecting something valuable.

You could try setting a maximum number of attempted login sessions per hour.

That way if someone tries brute forcing through multiples proxies or bot-nets, it will prevent further logins.
Maybe even have it send out an email to the admins to make them aware.

Thunderace

#3
tammikuu 01, 2008, 05:40:58 AP Viimeisin muokkaus: tammikuu 01, 2008, 05:52:09 AP käyttäjältä Thunderace
Lainaus käyttäjältä: karlbenson - joulukuu 30, 2007, 05:48:21 IP
If your really worried about brute force and your protecting something valuable.

You could try setting a maximum number of attempted login sessions per hour.

That way if someone tries brute forcing through multiples proxies or bot-nets, it will prevent further logins.
Maybe even have it send out an email to the admins to make them aware.

This is a good idea karlbenson .. thanks ..

The IP based system was worrying me as few internet users actually have a dedicated IP and as you mentioned the real brute force threat is multiples proxies or bot-nets.

I think I'll add an ip based "lockout" at 5 attempts

1 failure you have to wait 15 secs to try again
2 failures 20 secs
3 failures 30 secs
4 1 hour
5 LOCKOUT

And perhaps an overall login lockup if over 30 attempts (or something) in one hour.

Thanks for the responses guys.

Tulosta
Siirry ylös Sivuja1
Käyttäjän toimet
Advertisement: