This great:) I am just looking for everything that I can put into this app
so that it can be extremely powerful, and provide a high level of security
so that the developer doesn't have to worry about protecting there specific
sections of there applications. This is to be a great tool when it is all
done, and with all of your help it will be that.
Thank you,
Donald R. Pavlik
Founder
Bug Engineering Co.
"Making the Dreams of Tomorrow, Reality Today"
-----Original Message-----
From: David Perkins [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 01, 2000 9:12 PM
To: Fusebox
Subject: RE: ?? (login features)
Don,
Unsure if you want technical specs or just ideas for your login app...
1-trim both UN/PW to prevent accidental leading/trailing spaces from denying
an otherwise-proper login
2-use site UN/PW criteria (minimum length, etc) to inspect UN/PW before ever
asking the DB if the user is there (or, on new UN/PW, before accepting them
as valid)
3-forgot password? email password to *email address on record* (& DBlog
this, and also cc-email site administrator)
4-use (cfqueryparam)(cfprocparam) in sql UN/PW statements
5-limit length of UN/PW in the SQL to length of your valid UN/PW
[left(trim(un),12) for a 12-char UN field]
6-dblog successful logins with date/time
7-dblog unsuccessful attempts with
date/time/ipaddress/UNattempted/PWattempted (also, deny further logins for
15 minutes, if 3 unsuccessful attempts made within a 15 minute period, also
maybe delete any UN cookie they may have after 3 unsuccessful attempts)
8-save valid UN in cookie to pre-populate username box (if desired) (cookie
expires in a month or two of every successful login)
9-HASH (not encrypt) the password so no one examining the DB can read it. If
you want further security, use a 'random x-character-seed' [salt] (not
unique, but generated new for each new user) and concatenated to the PW
before HASHing the PW, and stored right next to the PW in the DB.
10-insure a UN is unique before storing it into the DB
David Perkins
[EMAIL PROTECTED]
-----Original Message-----
From: Donald R. Pavlik [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 01, 2000 3:53 PM
To: Fusebox
Subject: ot: ??
Did anyone receive my post about finishing off a login fusebox application?
I have the beta in its final stages, and I was wanting to get some more
information on what security and login features you commonly use with your
applications so that this could be a tag used to help speed up the
development time of applications.
Donald R. Pavlik
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
