|
Sometimes you worry about your login information would been stolen by key loggers. The IntelliLogin will defeat key loggers and login into your web site with one click.
visit at www.jjsoft-studio.com
IntelliLogin: powerful web logins form filler and password generator.
|
|
|
|
|
You forgot the most important one:
Think about SQL Injection!
Ever remove ; and behind from your Passwort and Username Form when you check it over a SQL Database. If you don't do this a Username with
test; select * from userdb
could bring you into trouble!
|
|
|
|
|
oops
Perhaps I have to add one more tip.
In fact, sql injection is one of the issues, think on crosscripting, expression eval (if you program on perl, or asp).
Thanks, for your comment.
Eduardo Diaz
site | english blog | spanish blog
|
|
|
|
|
you talk about authentication what about pages authorization ????
|
|
|
|
|
|
hi there,
To achieve this, u can get the remote IP and store this into block list if user try to login 3 or more times
that's just my idea.
<< >>
|
|
|
|
|
right, you can build a black list, but could be expensive, just store the suspicious ip on an application variable, and write to the log. Keep it for a time, 1 hour, or 2.
Later you can check the IP's stored on the log, and block them in the firewall, your router, or the web server.
Eduardo Diaz
site | english blog | spanish blog
|
|
|
|
|
ediazc wrote:
block them in the firewall, your router, or the web server
this should not because the ip is just blocked for a while. So, after the period of time u must unblock this ip
the better way is that should store block ips into log file/databse (because if storing these into app variables, sure it's expensive)
<< >>
Th@nh
|
|
|
|
|
no I want to block it at IIS layer so I don't have to open connection with database to reduce using of memory,network bandwidth,Asp work process Session...etc
|
|
|
|
|
ok, this solution will reduce memory issue,...-> nice
but how to programmatically block an IP at IIS layer.
if u know, pls share it to me. Actually now I'm using DB to store ip list
Thanx in advance
<< >>
|
|
|
|
|
how to do this programming at IIS????
|
|
|
|
|
|
Perhaps some of my comment was misunderstood.
You can incorporate biometrics on your web site, provided your users has some hardware, of course, like a finger scanner, an iris scanner, or some device.
But, you can use inexpensive hardware, like a webcam, or a microphone, to do some biometrics, not as strong like fingerprints, for example, but is feasible.
Second, fingerprint sensors are getting cheaper, and the resolution is good, prices are now bellow the US$ 100.
Even, some notebooks and PDAs come with integrated fingerprints sensors.
So, today is feasible, but your users need a device. If you work for a bank for example, you can give this service to your premium clients.
The trick part is ensuring privacy, security of the biometric data, prevent tampering, enrollment, etc. I'm not authorized to talk about my company in forums like this, but we are doing this. When i have the cleareance i will publish on this site, or perharps on my blog.
Have nice weekend
Eduardo Diaz
Dark Side Programming"
|
|
|
|
|
Hello...
I believe it's a good beginner articel for all poeple which never have build an web form login before...
But some points are nor really evident...
Why it's the usage of CAPATCHA not recommend ???
It's a nice method to prevent robot hacks...
Especially in combination with your tip 5...
I missing an other really important tip in front of sending data to server...
(certainly in .Net often sending data with POST method)...
You should always sending login (form) data with POST and not GET method...
Because GET method notify everybody the process architecture of your server app...
So it's easily for every (baby) hacker to do any sh*t with your server app (f.e. with javascript)...
And my last question how to use biometrics in a login form in the www (in these century)...
Ok, I knows the adoption of biometrics system inside from an intranet and in couple with special workstations...
But Maybe, it's a nice idea...
Best regards...
|
|
|
|
|
About captchas, I recomend to read the w3 article.
About biometrics, in my company we have incorporated biometrics on web sites. Our solutions work with Hand Geometry and Fingerprints. Unfortunately our site is in spanish, but if you are interested send me a direct email.
Best Regards
Eduardo Diaz
Dark Side Programming"
|
|
|
|
|
And now tell me how to do this for a web login form...
Don't try it, just do it!
|
|
|
|
|
C'mon now. This is a beginner article, right.
But all very good points raised by the author. If every web site requiring a login implemented even half of the ten, the Internet might be just a little bit more secure.
The links the author provided are also very usefull and informative.
Chris Meech
I am Canadian. [heard in a local bar]
Remember that in Texas, Gun Control is hitting what you aim at. [Richard Stringer]
Nice sig! [Tim Deveaux on Matt Newman's sig with a quote from me]
|
|
|
|
|
Thanks for your comments, this article is targeted to begginers.
Even this site codeproject, has some flaws according to my sugestions.
Security is considered bored, an that's a big mistake, you must incorporate security from the beginning.
By the way, this tips are very known from long time ago, but still people make the same mistakes.
I hope to write a future article about biometrics login in the future, because I'm working on that. The big problem with biometrics now, is hardware availability. But, in certains projects, can be done.
Eduardo Diaz
Dark Side Programming"
|
|
|
|
|
Ok, I work for a company that develops a product to do that, you can email me.
|
|
|
|
|
For additional security, we now require a urine sample to log on to our webmail. Please provide via email. Thanks.
|
|
|
|
|
My company provides a system like that, just e-mail your urine sample.
|
|
|
|
|
Hi All
I am create window application by VB.NET I have some problem about login form when i coding follow this code
I will get resultset "incorrect passward" only althought I will typing wrong username & password or correct
username & password I get same messagebox "incorrect password"
this code
Dim frmMain As New frmMain()
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim SqlTemp As String
Dim Conn As String
Conn = "Provider = Microsoft.JET.OLEDB.4.0;data source =C:\\Database\DBToyota.mdb "
SqlTemp = "SELECT * FROM User"
SqlTemp &= " WHERE UserName = '" & Trim(TextBox1.Text) & "'"
SqlTemp &= " AND Password = '" & Trim(TextBox2.Text) & "'"
Dim daUser As OleDbDataAdapter = New OleDbDataAdapter(SqlTemp, Conn)
Dim ds As DataSet = New DataSet()
Dim dc As OleDbConnection = New OleDbConnection(Conn)
Dim OleCmd As New OleDbCommand(SqlTemp, dc)
dc.Open()
If ds.Tables.Count <> 0 Then
frmMain.Show()
Else
MessageBox.Show("Incorrect password")
End If
End Sub
Please help me
Thanks
Nisarat
|
|
|
|
|
Good Morning,
the problem is, that you do only one select. And in the where clause you combine the entered user and pass with 'AND'. So you can not determine, which of both values are false.
But you should read the article. Your Login-Form have one BIG unsecuritiy. You pass the entered values direct to a SQL-Statement. This is a high risk for SQL-Injection. If you don't know, what's this, search in CP. Here you can find some articles about this. A better way is, to select all records from database and compare the values in a seperate loop over the records.
Last part of my message. This place is not the correct place for your question, because there is no direct assignment to this article. Please post question in the message board of CP.
Stephan
|
|
|
|
|