Skip to content
This repository has been archived by the owner on May 15, 2024. It is now read-only.
Henk Verhoeven edited this page Mar 1, 2014 · 21 revisions

Contributing and sharing (the honor)

Most wanted are your opinions and ideas. . Please hit 'Edit Page' if you have something to say.

Help with the code and docs is welcome but you will propbably be more visible if you develop a bundle/module/library for some other framework on your own github area that reuses the cross framework library (will be here soon).

Roadmap (0.2 Milestone)

Individual issues have been moved to the issues tab

  1. Create separate Cross Framework library

  2. Cross database type and access interface support

  3. Performance improvements

  4. TimeOuts (OWASP Requirement)

  5. Api docs

Ideas

These are open for discussion, not just about the how and priority but also the if at all and why. Please add your own ideas too.

  • Estimation of credibility. Currently only the number of failed logins per IP address count. This may result in the blocking of adresses that harbour many users. Other measures could be taken into accout, like the number of successfull attempts over a longer duration.

  • Releasing by long term cookies. On a successfull login a long term cookie could be set and stored in the RequestCounts record. (consider adding indexes too, consider checking the token and not register by invalid tokens to prevent db flooding by random tokens, invalid tokens are suspicious - could influence estimation of credibility)

  • Add (example) Controllers and templates for sending e-mails with urls with release tokens and for processing the resulting release requests.

  • Fulfilling more OWASP requirements (discussion).

  • Adding more Guard classes for different types of Authentication Listener, or replacing it by other hooks into symfony's authentication (discussion)

  • Look into the Drupal 7 Login Security module to look for ideas and see if its code could be (re)used.

  • Support the long term blocking user names. The OWASP Guide suggests a duration of 15-30 minutes if blocking user names at all, but many systems block user accounts after 3 or 5 failed longin attempts for the long term until reactivated explicitly. Currently this bundle allows a long duration to be set, but here is room for improvement:

    Issue 4: Support the long term blocking user names.

    Isuue: Periodically pack the Requestcounts table. If one of the durations is substantially longer then the others, records that are older the the shorter duration ago may be packed into ones with a longer counting duration.

  • Keep track of usage that is a-typical for legitimate application users 2). For example an Exception Listener that tracks and counts routing Exceptions and invalid parameter Exceptions. It could send e-mails to security officers, and/or lock out a user until he/she requests na e-mail for reactivation after password change. IMHO this is out of scope for this bundle.

Notes

1) The importance of this was suggested by Remko Silvis at GroningenPHP, februari 2014

2) Suggested by Aukje Holtrop at GroningenPHP, februari 2014

Clone this wiki locally