Web Security

[eluser]babai[/eluser]
Hi,

I want to build a secure login authentication using codeigniter framework. I want check against security:

1. Session hijacking
2. Sql injection
3. Brute Force attack - should timeout for 5 minutes after 3 successive unsuccessful logins

Please give me an idea that what I'll do.

[eluser]awpti[/eluser]
Regarding #2:

Use bind params or use the built-in ActiveRecord feature. Doesn't work for all situations.

Regarding #3:

Code it to handle attacks like that. Can't really give you any suggestions - there are a dozen ways to do it. At least.

[eluser]Bluemill Media[/eluser]
1) Log the most recent IP Address, User-Agent, and any other user information you can get your hands on when a user logs in, and check it against the active user every time they request a secure page. If the information changes between pages for the same session, it's nearly certain that the session has been hijacked. There are other ways as well, but that's a decent approach.

2) Get familiar with (and use religiously) the 'mysql_real_escape_string()' function. Read:

- http://www.tizag.com/mysqlTutorial/mysql...ection.php
- http://us3.php.net/manual/en/function.my...string.php

3) Log every attempt (successful or unsuccessful) in your database in a separate table. The data to include would be whether or not the attempt was successful, user-data (ip, user-agent, etc.), and the time the attempt was made. Then, each time an attempt is made, check to see how many times in the past 5 minutes the login has failed. If you return 3 or more rows, deny the attempt (you should do this before doing any actual authentication checking) and keep doing so until you reach a time 15 from the latest failed attempt.

---

I'm sure others will post different methods, but these are all valid. Give them a shot. Post back here if you need any help.