-
Notifications
You must be signed in to change notification settings - Fork 5
Home
Most wanted are your opinions and ideas. Help with the code and docs is welcome but you will propbably be more visible if you develop a bundle/module/library for some other framework on your own github area that reuses the cross framework library that will be here soon.
Individual issues have been moved to the issues tab
-
Cross Framework support
-
Cross database type and access interface support
-
Performance improvements
-
TimeOuts (OWASP Requirement)
-
Api docs
These are open for discussion, not just about the how and priority but also the if at all and why. Please add your own ideas too.
-
Estimation of credibility. Currently only the number of failed logins per IP address count. This may result in the blocking of adresses that harbour many users. Other measures could be taken into accout, like the number of successfull attempts over a longer duration.
-
Releasing by long term cookies. On a successfull login a long term cookie could be set and stored in the RequestCounts record intstead of the user agent (Choice could be made configurable). This would also help against flooding of the RequestCounts by random user agent strings sent in brute force attacks.
-
Add (example) Controllers and templates for sending e-mails with urls with release tokens and for processing the resulting release requests.
-
Fulfilling more OWASP requirements (discussion).
-
Adding more Guard classes for different types of Authentication Listener, or replacing it by other hooks into symfony's authentication (discussion)
-
Periodically pack the Requestcounts table. If one of the durations is substantially longer then the others, records that are older the the shorter duration ago may be packed into ones with a longer counting duration.
-
Keep track of usage that is a-typical for legitimate application users 2). For example an Exception Listener that tracks and counts routing Exceptions and invalid parameter Exceptions. It could send e-mails to security officers, and/or lock out a user until he/she requests na e-mail for reactivation after password change. IMHO this is out of scope for this bundle.
1) The importance of this was suggested by Remko Silvis at GroningenPHP, februari 2014
2) Suggested by Aukje Holtrop at GroningenPHP, februari 2014