Page 2 of 2

Re: Please nitpick my login script!

Posted: Wed Jan 28, 2009 3:02 am
by Mordred
andym01480 wrote:I got that from Chris Shifflet's book!
What, the "throttle" code? I haven't read the book either, but I think you might have copied the code without understanding the context in which it should be used (and that is VERY important, let me tell you)

In addition, preventing multiple logins from one account too often is of limited use:
- The attacker can just try other accounts while waiting for the first to let him try again
- Without proper logging and alarm rings, you just slow the attacker by a fixed factor, you don't really prevent anything
- It's hard to provide bruteforce protection while not giving the attacker the opportunity for DOS. A couple of lines of code certainly won't do.

In short, you need to understand all attack scenarios and then implement a system, otherwise you end up avoiding one thing and opening the door for another.

Re: Please nitpick my login script!

Posted: Wed Jan 28, 2009 6:12 am
by aschlosberg
Just a couple of things to add:

You don't need to create $sql['password'] as it isn't being used in a query - this will just add unnecessary processing.

Your script keeps track of the access level of the original username and password rather than who is actually logged in. As you implement it in various projects this will most likely become a requirement.