forked from technoweenie/restful-authentication
-
Notifications
You must be signed in to change notification settings - Fork 1
/
TODO
15 lines (10 loc) · 756 Bytes
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
h3. Authentication security projects for a later date
* Track 'failed logins this hour' and demand a captcha after say 5 failed logins
("RECAPTCHA plugin.":http://agilewebdevelopment.com/plugins/recaptcha)
"De-proxy-ficate IP address": http://wiki.codemongers.com/NginxHttpRealIpModule
* Make cookie spoofing a little harder: we set the user's cookie to
(remember_token), but store digest(remember_token, request_IP). A CSRF cookie
spoofer has to then at least also spoof the user's originating IP
(see "Secure Programs HOWTO":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html)
* Log HTTP request on authentication / authorization failures
http://palisade.plynt.com/issues/2004Jul/safe-auth-practices