Skip to content
This repository has been archived by the owner on Jul 21, 2020. It is now read-only.
mrflip edited this page Aug 17, 2010 · 1 revision

Authentication security projects for a later date

  • Track ‘failed logins this hour’ and demand a captcha after say 5 failed logins
    (RECAPTCHA plugin.)
    in which case we’d better recommend “De-proxy-ficating IP address”: http://wiki.codemongers.com/NginxHttpRealIpModule
  • Make cookie spoofing a little harder: we set the user’s cookie to
    (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
    spoofer has to then at least also spoof the user’s originating IP
    (see Secure Programs HOWTO)
  • Log HTTP request on authentication / authorization failures (see here )
Clone this wiki locally