Tuesday 05 July 2011 2:26:24 pm
Well, with that approach, all I have to do is write a script to generate random hashes and eventually I'll be logged in as a user. I'd bet that with that approach I'd be logged in as a random user within a day. Of course, that depends on how many users you have, etc. I suppose you could set up a fail2ban script to parse the apache log files to lock someone out after too many failed attempts.. but, that's a lot of overhead. But, otherwise, what would prevent me from writing a script to just keep banging on your machine - going through proxies of course - until I'm logged in? The thing is, if you have a user, then you can code for - if someone attempts to log into this user X number of times, silently fail. With a hash... there's really nothing you can do... you can't go by IP address if someone is using TOR and proxies. There's nothing you could go by. On the other hand, if it's an intranet and one branch is coming from one ip you'll end up having false positives. I guess, if your /custom/autologin/$PASSWORD_HASH also has an input field with the username, that it can cross reference to the hash... that would allow you to break if the username is hit too many times - but then, if someone has to do that, they may as well just do the username/login - unless of course there is a good reason not to. Edit: change a can... to a can't go by IP...
Certified eZPublish developer
http://ez.no/certification/verify/396111
Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com
|