[OWASP_PHPSEC] Login Controller

rahul chaudhary rahul300chaudhary400 at gmail.com
Wed Sep 11 18:21:13 UTC 2013


I read the jFramework's login controller. Here is the overview:

First it checks if "remember-me" cookie is present. If yes, then after some
checks, it logs in the user.
Then it checks, if user has provided credentials. If yes, then it logs in
the the user.

Then it checks if the user has requested him to remember in the system. In
this case, the jFramework sets the appropriate cookies.
It then redirects the user to correct page using "view"..

*So, comparing to my model, I am also doing the same.*



however, I have some dounts in jFramework's model:

1) The LoginController extends BaseControllerClass which I cannot see
anywhere defined. How is that ?

2) When you set the cookie, you are essentially storing the user's username
and PASSWORD in the cookies instead of a long random value. Is this a good
practice ?


PS: Location of LoginController is: _japp/control/login.php


On Tue, Sep 10, 2013 at 9:22 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> It seems alright with me.
> Its a good idea to peek at what jframework's login controller does though.
> -A
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Sep 10, 2013, at 7:24 AM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> Oh yes....the captcha part is just for show...a whole engine will be there
> to handle what we have discussed earlier. I am a little busy with
> controller, otherwise after controllers I will do that thing only.
>
>
> On Tue, Sep 10, 2013 at 7:18 AM, Shivam Dixit <shivamd001 at gmail.com>wrote:
>
>> Hello Rahul,
>>
>> Controllers seems to be good, however on brute force issue as we
>> discussed earlier, we can also implement temporary account locking. As we
>> discussed if 1 is returned (level 1) from brute force function *show
>> captcha* , if *level 2 brute force attempt is made then lock account*. I
>> think, for disabling accounts we will require one more column in USERS
>> table to check if account is enabled or disabled and we will be required to
>> add one more condition to check if user is enabled or disabled when we
>> authenticate user.
>>
>>
>> On Tue, Sep 10, 2013 at 4:33 PM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>>> Hello All,
>>>
>>> Here is the structure of the login controller that I made. Please
>>> comment and notify me if any mistakes are there.
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>
>>> _______________________________________________
>>> OWASP_PHP_Security_Project mailing list
>>> OWASP_PHP_Security_Project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>
>>>
>>
>>
>> --
>> *Cheers,*
>> *Shivam*
>>
>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>  _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130911/4d2d82cb/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list