Databases
StackOverflow2013
Postsdbo
POsecure web application questions
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POsecure web application questions
    text
    copied!<p>I am implementing a web application which is powered on the backend via a soap server/client interaction. The web site is running over https and authentication is being provided by LDAP. </p> <p>As of now I push all users without a cookie, call it 'userHash' for reference to the login page. The login page accepts a username, pass and checks ldap to verify. If it verifies I store in my session the user name, user ip address, and a timestamp. </p> <p>Lastly I construct a cookie and session hash info:</p> <pre><code>SESSION['userHash'] = sha1($username.$userip.$timestamp); cookie['userHash'] = sha1($username.$userip.$timestamp); </code></pre> <p>This way on any subsequent request I verify the user posses the cookie userHash with matching value to the session['userHash']</p> <p>Is this setup secure? </p> <p>Additionally, I want to prevent against brute force attacks and was going to implement a simple DB table to log failed attempts. Currently I am thinking of having: </p> <pre><code>id | username | timestamp | ipaddress | count </code></pre> <p>as a table. Is this the best approach or is there a better way? I see for example with this table that if I was to limit failed attempts to 3 every 24 hours, then an attacker has ability to try each username 3 times from the same Ip. (One side note: this application is anticipated to be used on potentially school computer labs which may be on a subnet and thus show me multiple logins from the same IP address so I need to be careful as to when I block based on IP address.) </p> <p>On the other hand, I got to wondering if there is anything like "denyhosts" for http authentication ? </p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload