7

What security features do I need to have in-place to ensure that my website log-in and registration forms are secure?

Xander
  • 35,616
  • 27
  • 114
  • 141
ahmed amro
  • 331
  • 1
  • 2
  • 10

3 Answers3

18

CSRF - You need to have protection in place to prevent cross site request forgery - or requests to login, signup, or other actions from other sites. This can be used to trick users into performing actions they didn't intend to.

CAPTCHA on signup - It's often recommended to use a CAPTCHA on your sigh-up form to reduce automated signups. How important this is depends on your threat model.

Secure login - The login needs to happen over HTTPS to reduce the risk of the user's credentials being captured via a MiTM attack.

Cookies - While login over HTTPS should be seen as a minimum, everything else really should be over SSL as well to protect the cookies (remember Firesheep?). Though just using SSL isn't enough, you need to set the Secure flag and HttpOnly flag whenever possible.

Email Confirmation - You need to make sure that you verify a user's email address as part of the sign-up process (I'd suggest not letting them login until it's confirmed). You'll need to have this for use in password resets.

Bruteforce protection - You need to protect against an attacker bruteforcing user accounts. There are various ways to do this, locking accounts (which can be used as a DoS attack by locking out large number of users), limiting failed attempts from a given IP (either via ban, or additional CAPTCHA). There are pros and cons to each method, but it's important that you have some form of protection in place.

Secure password reset - You need to make sure that you have a secure method for resetting passwords. This one is more complicated than most people think, and is easy to get wrong (as Apple recently found). The biggest risk is that an attacker finds a way to abuse the feature to reset accounts that they don't own.

I'd strongly suggest that you read the OWSAP Authentication Cheat Sheet, it goes into detail on these and many other potential issues; and as always, when building new systems, it's a good time to take another look at the OWASP Top 10 and make sure you have taken the proper precautions.

Adam Caudill
  • 1,794
  • 14
  • 18
4

Adding to Adam's answer I would like to say that according to OWASP Top 10 Application Security Risks–2013 the top three vulnerabilities are Injection,Flaws in Authentication mechanism/session management and XSS.

  • Authentication and session management is a very broad topic but OWASP has a number of cheat sheets and guides whose links can be found in the above pdf.
  • The other two vulnerabilities Injection and XSS are generally a result of not validating the user input before generating the dynamic content (XSS) or before using it in a DB query (injection).
  • To prevent from Injection all the user input parameters must be validated (server-side) before using them in queries.
  • Prevention against XSS : see this
Shurmajee
  • 7,335
  • 5
  • 28
  • 59
0

About the cookie:

If you use the cookie for the login process it is important to save the cookie information in your database (MySQL for example) so if an user makes the logout the cookie information will be deleted from database and the cookie won't be longer valid. It's is important, because if a hacker steals the cookie then he can access to your account!

Another parallel solution:

For protect your login page you can use this service Colobe

It is a free service that protects your pages by any brute force attack. Anyway Colobe requires the PHP in your server.

It is very cool because colobe is a dynamic service that learn during the time and builds a global blacklist of the botnet networks and pirate servers that generate those attacks.

N.B. Colobe is a project of mine.

Adi
  • 43,953
  • 16
  • 137
  • 168
Nicola
  • 181
  • 3
  • and how do you protect me with colobe ? only by collecting blacklist ? your website is not informative enough to show the customers what you can do ... you should make it more informative and infographic – ahmed amro Apr 07 '13 at 13:45
  • Thank you for your feedback ^_^ I will improve the informations. Anyway, yes, it's "only" a blacklist, you can also view the login statistics. – Nicola Apr 07 '13 at 15:36
  • Here there is the documentation if you are interested: https://colobe.net/?wh=documentation – Nicola Apr 07 '13 at 15:41