 |  |  |  |  |  |  |  |
sleep function
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
•
•
Join Date: Aug 2008
Posts: 94
Reputation: 
Solved Threads: 0
Junior Poster in Training
Or do you think this will just increase the amount of failed login attempts?
~Amy
~Amy
•
•
Join Date: Aug 2008
Posts: 1,160
Reputation:
Solved Threads: 137
maybe at least enter the first letter of the county, lol hope they won't mess that up
Custom Application & Software Development
www.houseshark.net
www.houseshark.net
•
•
Join Date: Jun 2008
Posts: 849
Reputation:
Solved Threads: 67
Practically a Posting Shark
•
•
•
•
Originally Posted by designingamy 
Or do you think this will just increase the amount of failed login attempts?
~Amy
“Be who you are and say what you feel because those who mind don't matter and those who matter don't mind.” - Dr. Seuss
-- The documentation is inevitable, you may get away with it for a little while but eventually you too will have to do the deed.
-- The documentation is inevitable, you may get away with it for a little while but eventually you too will have to do the deed.
•
•
•
•
Originally Posted by designingamy
Or do you think this will just increase the amount of failed login attempts?
~Amy
Other ideas...
1. You could use zip-codes instead (just numbers and only 5 of them)
2. Or use area codes even (just 3 numbers unique to their location)
3. You could log and display the visitor's IP to remind them that they really are NOT anonymous
4. As mentioned, you could use cookies to remember some of the extended steps of a login
The greatest danger to people breaking security on your site is probably either...
1. Brute-force attacks -- trying lots of User-name/Password pairs
The best defense against this is enforcing strong passwords for your clients -- which is sure to annoy some people when they can't use the same password for every website so they can remember their passwords. And limiting the number of login attempts during a given timeframe or from a given IP (which is fraught with peril due to shared IP blocks)
2. Social-engineering -- getting people to voluntarily give up their login information in a web-forum (such as this) or other context and pretext.
This is the most common and likely scenario where someone gains access to other peoples information -- and there is nothing you can do about it. Maybe you could enforce changing the password regularly -- which is sure to annoy some people ... as above.
There is only so much you can do. If you have secure server-side scripts and secure SQL protocols and feel confident that a hacker can't access your server environment when not using a client login ... then implementing too many barriers to legitimate access to client resources will only make people discouraged with using your site.
Cheers
Last edited by langsor; Sep 12th, 2008 at 2:05 pm.
Google is the answer to all of your questions -- the trick is knowing what question to ask in your specific predicament.
Here's one possible model you might employ ...
1. Visitor arrives at your site
2. Test for existing cookie
2a. if so => PASS
2b. if not => next step
3. Require user login
3a. new user registration
3b. limit login failed-attempts
3c. lost password retrieval via on-record email
3d. login success => next step
4. capture visitor IP (easy) and compare to visitor geographic location (*)
4a. matched user-location to visitor current location => PASS
4b. no-match => next step
5. Require user to enter geographic unique identifier of their primary residence (ZIP or Area Code)
5a. able to provide this => PASS
5b. unable to provide this => FAIL
This way you provide as many opportunities as possible to have the visitor avoid going through the extra security-verification steps, but they go through them if needed.
By resolving the IP to the geographic location you reduce the chance for a hacker (that is not the user's neighbor anyway) to know the additional information needed to complete the login, even if they obtain the username/password somehow.
This does pose an additional barrier to the legitimate user when they are not in their home-town (away on business, etc) and does not provide security against hackers in the same geo-lcoation ... but as a compromise might be additional security against hackers in a different town, state or country.
Just something to think about ...
*=
http://www.maxmind.com/app/ip-location-explained
http://www.digitalmediaminute.com/ar...-ip-to-country
http://www.ip2nation.com/
http://www.google.com/search?hl=en&c...on&btnG=Search
1. Visitor arrives at your site
2. Test for existing cookie
2a. if so => PASS
2b. if not => next step
3. Require user login
3a. new user registration
3b. limit login failed-attempts
3c. lost password retrieval via on-record email
3d. login success => next step
4. capture visitor IP (easy) and compare to visitor geographic location (*)
4a. matched user-location to visitor current location => PASS
4b. no-match => next step
5. Require user to enter geographic unique identifier of their primary residence (ZIP or Area Code)
5a. able to provide this => PASS
5b. unable to provide this => FAIL
This way you provide as many opportunities as possible to have the visitor avoid going through the extra security-verification steps, but they go through them if needed.
By resolving the IP to the geographic location you reduce the chance for a hacker (that is not the user's neighbor anyway) to know the additional information needed to complete the login, even if they obtain the username/password somehow.
This does pose an additional barrier to the legitimate user when they are not in their home-town (away on business, etc) and does not provide security against hackers in the same geo-lcoation ... but as a compromise might be additional security against hackers in a different town, state or country.
Just something to think about ...
*=
http://www.maxmind.com/app/ip-location-explained
http://www.digitalmediaminute.com/ar...-ip-to-country
http://www.ip2nation.com/
http://www.google.com/search?hl=en&c...on&btnG=Search
Last edited by langsor; Sep 12th, 2008 at 2:28 pm.
Google is the answer to all of your questions -- the trick is knowing what question to ask in your specific predicament.
|
Similar Threads
- Using the sleep function (Java)
- Python Sleep Function: (Python)
- What is sleep function (Perl)
- PHP hold program execute function (PHP)
- Interrupt Sleep function (Python)
- Help: need feedback on my Java assignment about thread sleep. It's already coded. (Java)
Other Threads in the PHP Forum
- Previous Thread: from in email
- Next Thread: easy question
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest PHP Posts
- Today's Posts
- Unanswered Threads
# 5.2.10 alexa apache api array beginner binary broken cakephp checkbox class clean clients cms code cron curl database date directory display dissertation dropdown dynamic echo echo$_get[x]changingitintovariable... email encode error fairness file files folder form forms function functions google href htaccess html image images include indentedsubcategory insert ip javascript joomla legislation limit link local login mail memberships menu mlm multiple multipletables mysql mysqlquery newsletters oop open paypal pdf persist php problem provider query radio random recursion remote rss script search server sessions sms sockets source space spam sql syntax system table tutorial update upload url validator variable video web youtube
