cookies - How should I manage username/password session information? -


I have a website (in which the original essence is described), and I have no way of storing a user name And some information about the user continually when they use the site (i.e., upload and download data).

Right now, given a successful login, I was returning the hash with password as well as any associated information. At any time the user tries the user, his user name, hash, and what should be in the database next to it. If the user logs out, then all information is flushed in their local Sinatra session.

I know that this is a very simple approach. Is there a better way to handle user session information? Wikipedia entry on cookies mentions that a session uid is used instead of this other information; What is the advantage of that approach? I suspect that this approach is too weak for other attacks, but since I have done everything I verify, I am not sure which attacks I am opening.

In addition, if / when I apply SSL, are these transactions 'encrypted automatically', or I will need to do something else to ensure that the wire Are they safe if they are needed?

This is really a very complex problem, just to describe, you have an account lock-out The problem is: If you stop based on unsuccessful attempts, how easy is it for an attacker to dos your website?

I started some best practices:

  1. The username and user id have the password Snuff and hazard Store (you should also store salt next to hash.)

  2. Reject frequently bad-password attempts (once every few seconds More than times)

  3. If any user or any IP address (more than 3x in a minute) attempts are unsuccessful , Then some human-validation is required , like Captcha, it allows you to stop total dos attacks

  4. If an auto If the logging system is implementing, then use token authentication system

  5. For the token authentication system, a secure random number generator Use plain senders to send users, but salt and housed tokens Send.

  6. Use TLS / SLL if possible , but after data is closed, do not rely on your security.


Comments

Post a Comment

Popular posts from this blog

sql - dynamically varied number of conditions in the 'where' statement using LINQ -

I am using my first project LINQ (in mvc), so maybe there's something very simple that I remember. However, a day of searching and experimenting does not work, so it works. I am trying to write a LINQ query (Linux to SQL) in which in many cases where the statement is different from an OR or an AND. We do not know how many conditions are going in the query till runtime. This search is for filter control, where the user can choose multiple criteria for filtering. Select from table where table.col = 1 or table.col = 2 or table.col = 7 .... 'Other number of conditions Before I just create the SQL query as a string, while looping over all the situations. However, it seems that there should be a good way to do this in LINQ. I tried to use Expression trees, but they had a second thought for this moment on my head, where the lambda function was to be executed inside the statement such as: values ​​for matchingRows = matchingRows for each value Where (function (row) row.c...
Read more

asp.net mvc - Dynamically Generated Ajax.BeginForm -

I have a problem with ASP.NET MVC Ajax forms. I generate many Ajax form in a table such as: & Lt; Input type = "submit" name = "activity" value = "add activity" / & gt; & Lt;%}% & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt;%}% & gt; So far so good. When I post one of those forms, it gives a partial view in a div, and in this new partial view a new Ajax Beginnform (which is not in Genesis form) This second Ajax Beginnorf is exactly like the ones I got on the table, but when I post it, I do not get the "Ajax Post", but a normal post that sends me to a new page, I do not know whether the two Ajax forms What is the reason for the difference between, why is it the "dynamically generated" Ajax form behaves like a normal HTML form? By the way, I know that I can do it in different ways using javascript, but I would like to understand whether it can only be done using MVC helplars and Ajax lib...
Read more

Debug on symbian -

I am using trk for phone debug This works well for the Holorld project But when I start the project in phone debug mode 1) the load failed 2) TrkProtocolPlugin: to target the specified file Failure (please verify If any body understands what problem I am experiencing, then this problem helps me Pre-release If the application has the privileges assigned (with the appropriate certificate) itemprop = "text" > In your case, I will check: / li> If there is no conflict of application ID with any other application of device If there are problematic commands in the installation package (for example copy copy for non-accessible directories)
Read more