[OWASP_PHPSEC] Remember Me & Brute Force Lock ?

rahul chaudhary rahul300chaudhary400 at gmail.com
Tue Jun 18 02:32:15 UTC 2013


ok...so everytime a user clicks "remember me", our library can extract its
IP address and store it in our DB. Then we can assign an ID to this address
and also store this ID in the DB. Then we send this ID back to user in his
cookie. Lifetime of cookie -  Default 1 week.

Now every time the user comes back from this IP address and present this
cookie, we will allow the login without his credentials.

After the default time has expired, the cookie will destroy itself and we
can delete the entry from our table..

is this right ?? any workaround so that cookies does not have to be used ??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130617/dbd41f90/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list