[OWASP_PHPSEC] Remember Me & Brute Force Lock ?

rahul chaudhary rahul300chaudhary400 at gmail.com
Mon Jun 17 21:29:52 UTC 2013


For "Remember Me" ---->  isn't it same as sessions. Till the sessions are
active, the user remains logged in..


On Tue, Jun 11, 2013 at 1:45 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> If by 4-5 locks you mean 4-5 tries, yes CAPTCHA is a great solution BUT
> keep in mind, there are APIs to bypass captchas in the mass, so dont rely
> on them. After a few captcha checks, locking would be required (though not
> for long, an hour with an email to the user explaining the attack will do).
> It can be increased exponentially, but firewalls should've already blocked
> the abusive IPs.
>
> For Remember Me though, you should never store sensitive data in cookies.
> Instead store a random token in cookie and database, and link it to a
> user:pass pair and login using that.
> -Abbas
>
> On Khordad 21, 1392, at 5:38 PM, Azeddine Islam Mennouchi <
> azeddine.mennouchi at owasp.org> wrote:
>
> yes Captcha is a solution
>
> Regards Islam,
>
>
> On Sun, Jun 9, 2013 at 1:01 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
>> after 4-5 locks, introducing captcha is ok??
>>
>>
>> On Sun, Jun 9, 2013 at 6:39 AM, Azeddine Islam Mennouchi <
>> azeddine.mennouchi at owasp.org> wrote:
>>
>>> Hey,
>>> For the locking thing
>>> Locking account can be used in abusive way by an attacker any one can
>>> try to lock hundred of account think of alternatives like injecting
>>> random pauses in the login procces or somthing
>>>
>>> Regards Islam,
>>>
>>>
>>> On Sun, Jun 9, 2013 at 10:39 AM, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>>> Hello Guys,
>>>>
>>>> I am having trouble thinking how to enforce the "remember me"
>>>> functionality and "brute-force locking" functionality in the best way.
>>>>
>>>> I have not researched enough but I thought this place would be faster
>>>> to get answers. :)
>>>>
>>>> --
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>>
>>>> _______________________________________________
>>>> OWASP_PHP_Security_Project mailing list
>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>
>>>>
>>>
>>>
>>> --
>>> Islam Azeddine Mennouchi
>>> Consultant at NovaSup
>>> http://www.novasup.com/
>>> OWASP ALGERIA Chapter Leader
>>> phone n°: +213796314102
>>>
>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>
>
>
> --
> Islam Azeddine Mennouchi
> Consultant at NovaSup
> http://www.novasup.com/
> OWASP ALGERIA Chapter Leader
> phone n°: +213796314102
>  _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130617/5d2beaea/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list