Jump to content

exeTrix

Members
  • Content Count

    53
  • Joined

  • Last visited

Community Reputation

7 Neutral

About exeTrix

  • Rank
    Regular Member

Profile Information

  • Gender
    Male
  • Location
    UK
  • Interests
    Devin' it up.
  • Age
    27
  1. This one is a massive topic. Just to extend upon what AK has said: 2. Another point worth mentioning here would be that storing other information when a user successfully logs in can protect against session hijacking such as IP and browser information. These come with their limitations and it'll never be full proof due to HTTP connections being stateless ( request -> response done ). Anyway, you could store the logged in users IP then compare this IP every time the user visits a secure page, this will prevent session hijacking, but if it happens in the same building behind NAT you're screwed. 3. I'm not sure how salts prevent brute force I'll have to look into that one, however, they certainly prevent rainbow table I've read that somewhere before. Essentially, with salts you're protecting users passwords if your security is compromised and allowed some naught boy/girl access to your users passwords. Another thing to bear in mind is CSRF. Without some mechanism in place to verify that the AJAX request was indeed sent from a page on your server it would leave the login entry point open to brute force attacks. Normally this can be plugged with some random string imbedded into a hidden field which is submitted with the username and password. If you're really concerned about security then one of the simplest solutions is to implement an SSL cert so all requests run over HTTPS, man in the middle see ya later. Hope that helps
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.