Whenever possible, you should utilize existing frameworks that are well-maintained to handle your user logins. However, if you’ve inherited a project that handles its own logins, sometimes you simply have to make do and try to secure your application to the best of your ability.
Beyond using SSL, hashing your passwords, and making sure you salt your hashes…one of the other things you can do to improve the security of your website is to ensure you have some form of brute-force protection.
A brute-force attack is when someone is randomly or pseudo-randomly trying different passwords or keys to get into your system. Examples of brute-force attacks are:
The goal of brute-force protection is not to completely prevent someone doing a brute-force attack, but rather to make it more time-consuming and costly than it is worth. Basically, you are just trying to slow them down.
In any case, first, to prevent Session Hijacking, you should ensure that your session keys are being generated by a cryptographically secure random generator. If you use something like PHP’s
uniqid or a non-random Guid, since these are often non-random codes based on time, it’s very likely for a person to be able to guess the session keys that will get generated. Non-random keys mean that they are more guessable, and–thus–other brute-force prevention measures will not be as successful.
Second, for both Session Hijacking and Password Cracking prevention, you should log failed validations that occur by IP address. Here’s a quick design. I’ll use a database table, though you can also use a cache which may be more practical unless you want IPs to be able to be permanently blocked when they exceed some high threshold.
ip2longmethod in php). This means you have to convert them on the way in and out, but it makes the indexing more optimized.
CREATE TABLE BruteForceLog ( IpAddress BIGINT PRIMARY KEY AUTO_INCREMENT, FailedCount INTEGER UNSIGNED NOT NULL, LastFailure DATETIME NOT NULL )
Once you have this table, the process is simple. I’ll try to turn this into a work-flow in the near future, but for now, hopefully this is simple enough to understand:
Kevin Nelson August 22nd, 2017
Posted In: Security