RE: ?? (login features)

Fri, 01 Dec 2000 18:06:14 -0800 

Don,
Unsure if you want technical specs or just ideas for your login app...
1-trim both UN/PW to prevent accidental leading/trailing spaces from denying
an otherwise-proper login
2-use site UN/PW criteria (minimum length, etc) to inspect UN/PW before ever
asking the DB if the user is there (or, on new UN/PW, before accepting them
as valid)
3-forgot password? email password to *email address on record* (& DBlog
this, and also cc-email site administrator)
4-use (cfqueryparam)(cfprocparam) in sql UN/PW statements
5-limit length of UN/PW in the SQL to length of your valid UN/PW
[left(trim(un),12) for a 12-char UN field]
6-dblog successful logins with date/time
7-dblog unsuccessful attempts with
date/time/ipaddress/UNattempted/PWattempted (also, deny further logins for
15 minutes, if 3 unsuccessful attempts made within a 15 minute period, also
maybe delete any UN cookie they may have after 3 unsuccessful attempts)
8-save valid UN in cookie to pre-populate username box (if desired) (cookie
expires in a month or two of every successful login)
9-HASH (not encrypt) the password so no one examining the DB can read it. If
you want further security, use a 'random x-character-seed' [salt] (not
unique, but generated new for each new user) and concatenated to the PW
before HASHing the PW, and stored right next to the PW in the DB.
10-insure a UN is unique before storing it into the DB

David Perkins
[EMAIL PROTECTED]

-----Original Message-----
From: Donald R. Pavlik [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 01, 2000 3:53 PM
To: Fusebox
Subject: ot: ??


Did anyone receive my post about finishing off a login fusebox application?
I have the beta in its final stages, and I was wanting to get some more
information on what security and login features you commonly use with your
applications so that this could be a tag used to help speed up the
development time of applications.

Donald R. Pavlik


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to