tags:

views:

95

answers:

4
Q: 

additional security measures besides a login with user-password - what can you think of?

I'm wondering which additional security measures one could take besides a traditional login with user and password.

What do you think of this one:

_manually adding a cookie to each client which includes a secret key

_this cookie is not served by the webserver, it is actually copied "by hand" to each client computer

_if a client connects to the web-app the server graps that cookie and if the containing secret key is ok, the traditional login box is presented where the user has to enter the user-password combination

_communication between client and server is encrypted with https

Thus a potential intruder would first need to get the cookie from the clients computer, which is only possible with having access to the clients computer.

This would work only for a very small user-base and an admin willing to do this manual work.

+2  A: 

Don't bother. You're making your life difficult, and not greatly making a malicious user's harder. Also, you're making the user experience terrible, because what if they clear their cookies? If someone leaves their computer unlocked, they literally bypass your entire idea, in one foul swoop.

Stick to common proven authentication. Don't make your own, as problems have been found and fixed with other authentication methods that you haven't thought of as yet.

If this is an intranet with a small user base (and I assume a single admin, from your comment), rather use Windows Authentication (or the like, if not using windows) to the site?

Kyle Rozendo  2010-03-30 18:22:50
Actually the concept is an intranet, but the app is hosted on a publicly available webhost. Therefore I'm a bit concerned about security. and Yes there is a single admin.
Tom Tom  2010-03-30 18:31:28
@Tom - I'd definitely look at Windows (or the like) Authentication then, and even better would be linking it to domain authentication. This should make life a ton harder for a would be hacker than simply playing with cookies. They won't even be able to access the site without authenticating, never mind the login screen. Also, check for your offices IP range (if possible) which could stop the problem as well. Best would be of course, running it in an intranet, hehe.
Kyle Rozendo  2010-03-30 18:36:25
@Kyle.. yes I know. An intranet would be good. But there is no intranet yet ;-) Never dealt with domain and windows authentication. hmmm.. will take a look at it.
Tom Tom  2010-03-30 18:43:36
+2  A: 

Sounds like you want two factor authentication. Look into SecureId or some other method such as using mobile phones with one time passwords.

James Westgate  2010-03-30 18:24:35
The best. My bank's site first requires me to enter my user name and password. After that, I need to click on a link which generates a random security code which is sent to the phone (SMS) and email registered with my account. I need to enter this security code before I am allowed access. The code expires in 12 hours.
Vulcan Eager  2010-03-30 18:40:39
Actually that sounds interesting. Maybe sending the random security code to the email account of the user would be enough. Do not want to deal with sending sms in a web-app for 20 people :D
Tom Tom  2010-03-30 18:46:01
A: 

Have you considered asking for additional information ?

For example, some online banking requires your email address, state account was opened in, password, and you must verify the picture shown when you log in is the picture that you selected when you set up this account. If this computer/IP address is not recognized by the system (via cookies), you must also express permission to continue forwards.

If you "forget your password", you have to answer from a random bank of security questions.

rlb.usa  2010-03-30 18:25:05
A: 

You can use HTTPS and distribute your certificate manually, but it's a bit of a pain. Another option would be using a "securid token" mechanism, but again...pain.

http://en.wikipedia.org/wiki/SecurID

JC  2010-03-30 18:25:15
hu.. that looks fun :-) but probably pretty expensive.
Tom Tom  2010-03-30 18:39:18

related questions

Centos or Debian as a server OS ?
Where can I find a FTP Server with an API?
Technical issues when switching to an unmanaged Virtual Private Server (VPS) hosting provider?
Should I use a dedicated network channel between the database and the application server?
Do I need to leave gaps in a standard server rack?
Monitoring CPU Core Usage on Terminal Servers
Which hardware to buy for a new Linux server system?
Website Hardware Scaling
Ajax polling.
I ALMOST understand how email works, but I'm missing something.
How do you minimize the number of threads used in a tcp server application?
Perfmon File Analysis Tools
Cleanest & Fastest server setup for Django
Is there some way to PUSH data from web server to browser?
How do I secure my new web server (Server 2008)?
Subversion Management Tools
What kind of servers did you virtualize lately?
Closet server versus Colo?
Personal Linux web server
Error ADMA5026E for WebSphere Application Server Network Deployment
What means the error SECJ0222E in WebSphere Application Server 5.1
What is called a Node in a WebSpere Network Deployment
Can someone give me a working example of a build.xml for an EAR that deploys in WebSphere 6
Asynchronous multi-direction server-client communication over the same open socket?
Best way to access Exchange using PHP?