I am one of the developers at PassPad, a secure password generator and username storage system. We’re still working on it, but I have a few questions on the best way to implement a secure login/out system.
Right now, what we plan on doing is to have the login system save a cookie with the username and a session key, and that’s all that serves as authentication. The server verifies the two to match. Upon login/out a new key is created.
This is a security-related webapp and while we don’t actually store any information that might make the user queasy, because it is security-oriented it makes it a necessity for us to at least appear secure in a way that the user would be happy with.
Is there a better way to implement a login/out system in PHP? Preferably it won’t take too much coding time or server resources. Is there anything else I need to implement, like brute-force protection, etc? How would I go about that?
Make sure you have read the OWASP top 10 for 2010, especally A3: Broken Authentication and session management. This is important because you have already violated its requirements for https. Also make sure to read about CSRF, forcing people to login or logoff from your service is a vulnerability. Turn off directory listing in your .htaccess: http://passpad.org/actions/
I also recommend running a Web Application Firewall, especially if you are a security web app. mod_security is free and will stop a lot of attacks. Also make sure to test your application for vulnerabilities by using wapiti(open source) or acunetix($$$), but make sure you test your app with your WAF disabled.
In terms of brute force protection I really like gmail’s approach. Don’t prompt them with a captcha until they obtain enough “heat”. Heat can be accumulated by performing bad actions against your system. Heat is assigned to an ip address, not a session. For instance if they sign up for 2 user accounts, you might want to prompt them with a capthca for the 3rd. If you have 3 failed login attempts, you should prompt them. If they solve the captcha, you could choose to “cool” them off by lowering their heat value or setting it to zero. Use reCpathca its by far the best.