I am building a secure login system and would like some opinions on what I have so far (please pick it apart):
1. Submitting login form over SSL, no brainer 2. Using cfqueryparam everywhere, another no brainer 3. Password field in the database is called something other than password, pw, etc 4. Password is one way encrypted using Hash(), encrypted version stored on db 5. In the ColdFusion code, the encrypted version of the pw is never selected from the db - I assume this is irrelevent, but better be on the safe side 6. Login form field names have session key appended to them to prevent the browser remembering login details for the user (no remember me tickbox) 7. Password can only be changed by the user entering current password and new password when logged in I think this is all sound so far but I am really unsure about the best way of resetting passwords when a user has forgotten their password. Currently, I have this: 1. User requests password change instructions to be sent to their registered email address by entering both their login name and email address: if the details match - the instructions are sent (if they don't remember those details they can ask the administrator, its a small office). 2. When the request is made, a 32 character 'temporaryLoginKey' is created and a hash of this is stored in the login table. The unhashed key is sent to the user's email as part of a web address (i.e. www.site.com/index.cfm?event=resetPassword&tempLoginKey=27JFl49580KFj45687KJGF459 ) 3. The user visits the url sent to them and is presented with a change password form in which they are required to enter their login name and new password 4. Once the user has changed their password, the tempKey is cleared and resulting calls to the temp address result in an access denied message or some such Am I missing anything obvious or is anything I am doing plain wrong? I do not need to build fort knox here, simply the most secure login possible on zero budget (it also has to be a minimal PITA for the users) Thanks in advance :) Dominic -- Blog it up: http://fusion.dominicwatson.co.uk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298005 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
