Skip to content

Home

Jump to bottom Edit New page
Henk Verhoeven edited this page May 14, 2014 · 8 revisions

Contributing and sharing

Most wanted are your opinions and ideas. . Please hit 'Edit Page' if you have something to say.

Help with the code and docs is welcome. You will propbably be most visible if you develop a bundle/module/library for some other framework then Symfony 2 on your own github area.

Roadmap (0.2 Milestone)

See the issues tab of the AuthenticationGuardBundle

Ideas

These are open for discussion, not just about the how and priority but also the if at all and why. Please add your own ideas too.

  • Estimation of credibility. Currently only the number of failed logins per IP address count. This may result in the blocking of adresses that harbour many users. Other measures could be taken into accout, like the number of successfull attempts over a longer duration.

  • Releasing by long term cookies. On a successfull login a long term cookie could be set and stored in the RequestCounts record. (consider adding indexes too, consider checking the token and not register by invalid tokens to prevent db flooding by random tokens, invalid tokens are suspicious - could influence estimation of credibility)

  • Fulfilling more OWASP requirements (discussion).

  • Look into the Drupal 7 Login Security module to look for ideas and see if its code could be (re)used.

  • Support the long term blocking user names. The OWASP Guide suggests a duration of 15-30 minutes if blocking user names at all, but many systems block user accounts after 3 or 5 failed longin attempts for the long term until reactivated explicitly. Currently this bundle allows a long duration to be set, but here is room for improvement:

    Issue 4: Support the long term blocking user names.

    Isuue: Periodically pack the Requestcounts table. If one of the durations is substantially longer then the others, records that are older the the shorter duration ago may be packed into ones with a longer counting duration.

  • Keep track of usage that is a-typical for legitimate application users 1). For example an Exception Listener that tracks and counts routing Exceptions and invalid parameter Exceptions. It could send e-mails to security officers, and/or lock out a user until he/she requests na e-mail for reactivation after password change. IMHO this is out of scope for this bundle.

Notes

1) Suggested by Aukje Holtrop at GroningenPHP, februari 2014

Add a custom footer
Add a custom sidebar
Clone this wiki locally