[OWASP_PHPSEC] Remember Me & Brute Force Lock ?

Abbas Naderi abiusx at owasp.org
Tue Jun 18 09:03:53 UTC 2013


No its not right. You should not do anything with IPs.
You should store the username and password in the database as well as a unique id in the same record.
Then store that unique id in the cookie.

Then extract the user:pass pair and try to login with that everytime the login page is popped up and a cookie is available.

You can see more in jframework though it stores the user-id, but storing username:password (probably its hash due to security) is a much better approach, because it ensures if the user changes password, the cookie is expired.

-Abbas
On Khordad 28, 1392, at 7:02 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> ok...so everytime a user clicks "remember me", our library can extract its IP address and store it in our DB. Then we can assign an ID to this address and also store this ID in the DB. Then we send this ID back to user in his cookie. Lifetime of cookie -  Default 1 week.
> 
> Now every time the user comes back from this IP address and present this cookie, we will allow the login without his credentials.
> 
> After the default time has expired, the cookie will destroy itself and we can delete the entry from our table..
> 
> is this right ?? any workaround so that cookies does not have to be used ??



More information about the OWASP_PHP_Security_Project mailing list