[OWASP_PHPSEC] Remember Me & Brute Force Lock ?

Abbas Naderi abiusx at owasp.org
Mon Jun 17 23:42:49 UTC 2013


Not in the user specific or session specific data, but in general application data.

On Khordad 28, 1392, at 1:59 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> For "Remember Me" ---->  isn't it same as sessions. Till the sessions are active, the user remains logged in..
> 
> 
> On Tue, Jun 11, 2013 at 1:45 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> If by 4-5 locks you mean 4-5 tries, yes CAPTCHA is a great solution BUT keep in mind, there are APIs to bypass captchas in the mass, so dont rely on them. After a few captcha checks, locking would be required (though not for long, an hour with an email to the user explaining the attack will do).
> It can be increased exponentially, but firewalls should've already blocked the abusive IPs.
> 
> For Remember Me though, you should never store sensitive data in cookies. Instead store a random token in cookie and database, and link it to a user:pass pair and login using that.
> -Abbas
> 
> On Khordad 21, 1392, at 5:38 PM, Azeddine Islam Mennouchi <azeddine.mennouchi at owasp.org> wrote:
> 
>> yes Captcha is a solution
>> 
>> Regards Islam,
>> 
>> 
>> On Sun, Jun 9, 2013 at 1:01 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> after 4-5 locks, introducing captcha is ok??
>> 
>> 
>> On Sun, Jun 9, 2013 at 6:39 AM, Azeddine Islam Mennouchi <azeddine.mennouchi at owasp.org> wrote:
>> Hey,
>> For the locking thing
>> Locking account can be used in abusive way by an attacker any one can try to lock hundred of account think of alternatives like injecting random pauses in the login procces or somthing
>> 
>> Regards Islam,
>> 
>> 
>> On Sun, Jun 9, 2013 at 10:39 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> Hello Guys,
>> 
>> I am having trouble thinking how to enforce the "remember me" functionality and "brute-force locking" functionality in the best way.
>> 
>> I have not researched enough but I thought this place would be faster to get answers. :)
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> 
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>> 
>> 
>> 
>> 
>> -- 
>> Islam Azeddine Mennouchi
>> Consultant at NovaSup
>> http://www.novasup.com/
>> OWASP ALGERIA Chapter Leader
>> phone n°: +213796314102
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> 
>> 
>> 
>> -- 
>> Islam Azeddine Mennouchi
>> Consultant at NovaSup
>> http://www.novasup.com/
>> OWASP ALGERIA Chapter Leader
>> phone n°: +213796314102
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130618/e15c568b/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list