Chris mentions several very important password-related tips here. Just wanted to add a few things.
With respect to number 5, it would be easier to prevent the second user from logging in than it would be to invalidate the first session and allow the second session to become active, however it is important that you do it the way Chris describes. Invariably, someone's browser will crash in the middle of a session, and they will need log back in to the application, therefore the logic must be such that the old session gets blown away and the new session is given precedence. Couple of additional tips: 1. Provide a logout/logoff button. Make it prominent and encourage people to use it. If your users are used to logging out of your application, it will reduce the possibility of someone picking up someone else's session on the same workstation, even inadvertently. 2. Use short session expiration intervals. It can sometime be inconvenient for users to have to log back in after they have been distracted by a phone call or a few emails, however it does make for a more secure system. 3. Consider using the hash() function and storing passwords as MD5 hashes rather than plain text. The advantage is that the MD5 is one-way hash, which means that it is not currently possible to reverse it and discover what the original string was. This is good for two reasons. First, if your database is compromised, your passwords remain secure (albeit, if your database is compromised, it would be easier to steal data directly from the database than to log in as someone, but at least users who use the same password across accounts will have their other account compromised). Second, it actually prevents people who are supposed to have access to the database like your developers from seeing passwords in clear text, as well. Again, this mostly serves to keep other accounts secure, but is generally a good practice. Note that the disadvantage of storing passwords as hashes is that you cannot recover people's passwords for them. Consider using the password hint "magic question" paradigm to get around this. 4. Don't provide a "remember me" checkbox on your login page. Make people authenticate each and every time. Again, not overly convenient, but more secure. Christian On Monday, December 30, 2002, at 07:08 PM, Chris White wrote: > The post should have been with this message: > > I have used AuthintiX and it is quite nice. I have noticed a web > hosting company that offers it with their plans when I was looking for > something else. Other things to consider are: 1. Required min. > password length, 2. Special characters required within the password, > 3. > Password case sensitive, 4. Password expiration every 30 days ect., 5. > User only allowed to be logged in once, if two users try to sign in > using the same user id then blow away the current user session which > allows only one user to be logged in, 6. Min. length for the user id. > > Chris > > > > -----Original Message----- > From: Ian Skinner [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 30, 2002 5:58 PM > To: CF-Talk > Subject: User Name/Password Concepts > > > I am writing a User ID/Password login in for a commercial, registered > members only type, Internet site. Not adult orientated if you care > *S*. > > > I've written simple CF Login functions before, but this current project > that is going to require a little more true security then I've dealt > with before. I'm asking all the guru's and other experienced CF > developers if you can help with some ideas. Basically I want to > provide > a fairly secure site that doesn't turn away potential > users/members/customers. > > What I'm interested in is comments and ideas on balancing Security > verses User Convince. Also, what issues do I need to consider when I'm > building this to increase the difficulty to hack my code and/or users > logins as much as practical. Would I want to blend other security > features in to this (NT Security for example)? > > Ian Skinner > Developer > Ilsweb > [EMAIL PROTECTED] > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
