+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Web Security (/showthread.php?tid=10306)
Web Security - El Forum - 07-25-2008
[eluser]babai[/eluser]
Hi,
I want to build a secure login authentication using codeigniter framework. I want check against security:
1. Session hijacking
2. Sql injection
3. Brute Force attack - should timeout for 5 minutes after 3 successive unsuccessful logins
Please give me an idea that what I'll do.
Web Security - El Forum - 07-25-2008
[eluser]awpti[/eluser]
Regarding #2:
Use bind params or use the built-in ActiveRecord feature. Doesn't work for all situations.
Regarding #3:
Code it to handle attacks like that. Can't really give you any suggestions - there are a dozen ways to do it. At least.
Web Security - El Forum - 07-26-2008
[eluser]Bluemill Media[/eluser]
1) Log the most recent IP Address, User-Agent, and any other user information you can get your hands on when a user logs in, and check it against the active user every time they request a secure page. If the information changes between pages for the same session, it's nearly certain that the session has been hijacked. There are other ways as well, but that's a decent approach.
2) Get familiar with (and use religiously) the 'mysql_real_escape_string()' function. Read:
- http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
- http://us3.php.net/manual/en/function.mysql-real-escape-string.php
3) Log every attempt (successful or unsuccessful) in your database in a separate table. The data to include would be whether or not the attempt was successful, user-data (ip, user-agent, etc.), and the time the attempt was made. Then, each time an attempt is made, check to see how many times in the past 5 minutes the login has failed. If you return 3 or more rows, deny the attempt (you should do this before doing any actual authentication checking) and keep doing so until you reach a time 15 from the latest failed attempt.
---
I'm sure others will post different methods, but these are all valid. Give them a shot.
Post back here if you need any help.