Please nitpick my login script!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Please nitpick my login script!

Post by Mordred »

andym01480 wrote:I got that from Chris Shifflet's book!
What, the "throttle" code? I haven't read the book either, but I think you might have copied the code without understanding the context in which it should be used (and that is VERY important, let me tell you)

In addition, preventing multiple logins from one account too often is of limited use:
- The attacker can just try other accounts while waiting for the first to let him try again
- Without proper logging and alarm rings, you just slow the attacker by a fixed factor, you don't really prevent anything
- It's hard to provide bruteforce protection while not giving the attacker the opportunity for DOS. A couple of lines of code certainly won't do.

In short, you need to understand all attack scenarios and then implement a system, otherwise you end up avoiding one thing and opening the door for another.
aschlosberg
Forum Newbie
Posts: 24
Joined: Fri Jan 23, 2009 10:17 pm

Re: Please nitpick my login script!

Post by aschlosberg »

Just a couple of things to add:

You don't need to create $sql['password'] as it isn't being used in a query - this will just add unnecessary processing.

Your script keeps track of the access level of the original username and password rather than who is actually logged in. As you implement it in various projects this will most likely become a requirement.
Post Reply