[OWASP_PHPSEC] Login Controller

Abbas Naderi abiusx at owasp.org
Thu Sep 12 00:02:24 UTC 2013


I think you got the wrong jframework login controller.

jframework has abasic user management (aka user management) and an extended one (xuser). You should check XUsers login!
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Sep 11, 2013, at 2:21 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> I read the jFramework's login controller. Here is the overview:
> 
> First it checks if "remember-me" cookie is present. If yes, then after some checks, it logs in the user.
> Then it checks, if user has provided credentials. If yes, then it logs in the the user.
> 
> Then it checks if the user has requested him to remember in the system. In this case, the jFramework sets the appropriate cookies.
> It then redirects the user to correct page using "view"..
> 
> So, comparing to my model, I am also doing the same.
> 
> 
> 
> however, I have some dounts in jFramework's model:
> 
> 1) The LoginController extends BaseControllerClass which I cannot see anywhere defined. How is that ?
> 
> 2) When you set the cookie, you are essentially storing the user's username and PASSWORD in the cookies instead of a long random value. Is this a good practice ?
> 
> 
> PS: Location of LoginController is: _japp/control/login.php
> 
> 
> On Tue, Sep 10, 2013 at 9:22 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> It seems alright with me.
> Its a good idea to peek at what jframework's login controller does though.
> -A
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Sep 10, 2013, at 7:24 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> Oh yes....the captcha part is just for show...a whole engine will be there to handle what we have discussed earlier. I am a little busy with controller, otherwise after controllers I will do that thing only.
>> 
>> 
>> On Tue, Sep 10, 2013 at 7:18 AM, Shivam Dixit <shivamd001 at gmail.com> wrote:
>> Hello Rahul,
>> 
>> Controllers seems to be good, however on brute force issue as we discussed earlier, we can also implement temporary account locking. As we discussed if 1 is returned (level 1) from brute force function show captcha , if level 2 brute force attempt is made then lock account. I think, for disabling accounts we will require one more column in USERS table to check if account is enabled or disabled and we will be required to add one more condition to check if user is enabled or disabled when we authenticate user. 
>> 
>> 
>> On Tue, Sep 10, 2013 at 4:33 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> Hello All,
>> 
>> Here is the structure of the login controller that I made. Please comment and notify me if any mistakes are there.
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> 
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>> 
>> 
>> 
>> 
>> -- 
>> Cheers,
>> Shivam
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130911/832bc540/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list