-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Most wanted are your opinions and ideas. . Please hit 'Edit Page' if you have something to say.
Help with the code and docs is welcome. You will propbably be most visible if you develop a bundle/module/library for some other framework then Symfony 2 on your own github area.
See the issues tab of the AuthenticationGuardBundle
These are open for discussion, not just about the how and priority but also the if at all and why. Please add your own ideas too.
-
Estimation of credibility. Currently only the number of failed logins per IP address count. This may result in the blocking of adresses that harbour many users. Other measures could be taken into accout, like the number of successfull attempts over a longer duration.
-
Releasing by long term cookies. On a successfull login a long term cookie could be set and stored in the RequestCounts record. (consider adding indexes too, consider checking the token and not register by invalid tokens to prevent db flooding by random tokens, invalid tokens are suspicious - could influence estimation of credibility)
-
Fulfilling more OWASP requirements (discussion).
-
Look into the Drupal 7 Login Security module to look for ideas and see if its code could be (re)used.
-
Support the long term blocking. The OWASP Guide suggests a duration of 15-30 minutes if blocking user names at all, but many systems block user accounts after 3 or 5 failed longin attempts for until reactivated explicitly. Other systems, for example fail2ban, doe long term blocking for cecidivist ip addresses. Currently this bundle allows a long duration to be set, but here is room for improvement:
Currently releasing by username is either for all IP addresses (including those that have misbehaved) or only for a specific IP address. This could be extended to other IP addresses that are not blocked by address and do not have more then the limitPerUserName failures for the user name.
This makes little difference if user names are only blocked with a short duration that is close to the duration of ip address blocking. Only to be implemented if other measures for long term blocking of user names are also implemented.
Isuue: Periodically pack the Requestcounts table. If one of the durations is substantially longer then the others, records that are older the the shorter duration ago may be packed into ones with a longer counting duration.
-
Keep track of usage that is a-typical for legitimate application users 1). For example an Exception Listener that tracks and counts routing Exceptions and invalid parameter Exceptions. It could send e-mails to security officers, and/or lock out a user until he/she requests na e-mail for reactivation after password change. IMHO this is out of scope for this bundle.
1) Suggested by Aukje Holtrop at GroningenPHP, februari 2014