Website Login Security

Enygma

Hey,

I'm just wondering about a website login and how secure it is. Say I want an admin area or a customer area for a site, would it be ok to set a session variable at login and test for that variable on every secured page?

I'm talking about JSP specifically here but obviously the question is for a web-based app in any language.

Cheers!

JJSolutions

Yeah that should be fine, the only problem would be if they used the machine in a internet cafe or something and didnt click their logout button, it may be possible for someone to get in. Other than that it should be fine.

Keeping the session timeout down to a reasonable amount may prevent this.

Cr8or

Some good security features to include in applications of this kind of would be:

1. Store all passwords in a hashed format in your database.

The reason for this is to protect the passwords stored in your databases its is most fundamental and widely used practice across the board. By doing this you protect your passwords in the event of a hack or an exploit being used on your database or code. Always try to do this unless it is impossible to do so for whatever reason.

2. Make sure to log all failed logins & send daily reports to an admin.

This step is done to make sure that you or the admin is always informed of failed login attempts. This can be useful for spotting brute force attacks but can lead to a build up of logs on your server or hosting environment if it is not implemented correctly.

3. Block large amounts of requests from a fixed IP

Try to set a timeout of 30 mins per 5-10 failed logins on each IP. The reason for this is to block brute force dictionary attacks that are using open proxies. Another good method to boost the productivity of this method would be to also block open proxies but this in theory could lead to problems if your users require proxies.

4. Try to use a html based login system that is only accessible via https.

The main idea behind this is to make it harder again for someone to brute force logins. Although it’s not impossible to set up a system to get around this method the main ideas behind securing anything is to make it as hard as possible for any unauthorized users to gain access to your system.

5. Limit the amount of hosts that can use the same username and password at the same time.

Again this May not apply to single user systems but can come into play when there is more than one user using the system. This stops password sharing but can lead to trouble if users pass on details to other users but it is a good way to prevent unauthorised user from using the system.

Have a look into password rules and try to research the best methods for clients choosing passwords. Some of the strongest systems out there can be simply exploited because of man made errors & weak passwords.

Even if you only integrate some of these ideas into your code it will help boost security overall. Most of the above examples are used only on high-end site for higher security but.

You may think this is a bit of overkill for what you are looking for but your should always try to integrate some of the above stuff to make a securer environment for you users. Yea really have to start thinking outside the box to see where your problem will arise.

w3bby

Nice one guys!

Ya that's pretty much what I was looking for.
Great stuff!

Enygma

oops, posted that on the bros computer!