[OWASP_PHPSEC] Remember Me & Brute Force Lock ?

rahul chaudhary rahul300chaudhary400 at gmail.com
Tue Jun 18 09:09:27 UTC 2013


hmm..ok...I get you..much better...:)

but is the use of cookie safe?? We did the whole session management to
remove the use of any of PHP's mechanisms. So is using cookie ok ?? If yes,
Why??


On Tue, Jun 18, 2013 at 5:03 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> No its not right. You should not do anything with IPs.
> You should store the username and password in the database as well as a
> unique id in the same record.
> Then store that unique id in the cookie.
>
> Then extract the user:pass pair and try to login with that everytime the
> login page is popped up and a cookie is available.
>
> You can see more in jframework though it stores the user-id, but storing
> username:password (probably its hash due to security) is a much better
> approach, because it ensures if the user changes password, the cookie is
> expired.
>
> -Abbas
> On Khordad 28, 1392, at 7:02 AM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> > ok...so everytime a user clicks "remember me", our library can extract
> its IP address and store it in our DB. Then we can assign an ID to this
> address and also store this ID in the DB. Then we send this ID back to user
> in his cookie. Lifetime of cookie -  Default 1 week.
> >
> > Now every time the user comes back from this IP address and present this
> cookie, we will allow the login without his credentials.
> >
> > After the default time has expired, the cookie will destroy itself and
> we can delete the entry from our table..
> >
> > is this right ?? any workaround so that cookies does not have to be used
> ??
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130618/cf9e93f5/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list