what security features of a php membership system [closed]
just like the title says, what are the most common security features of a php based membership system. A few I know:
- mysql injections
- secured connectio开发者_StackOverflow中文版n
- encrypted password(s) and other sensitive data.
What else?
Authentication != Authorization is another one that comes to mind.
An extensive list of attacks can be found here: https://www.owasp.org/index.php/Category:Attack
Some methods:
- Abuse of Code Functionality (Bad Coding)
- Data Structure Attacks
- Embedding Malicious Code (XSS)
- Exploitation of Authentications
- Injections
- Path Traversal Attacks (include($_GET['file']))
- Protocol Manipulation
- Resource Depletion (DOS/DDOS)
- Resource Manipulation
- Sniffing Attacks
- Spoofing (COOKIES)
Some other things to think about:
- Session security (How are session variables set? Can someone's session ID be stolen? Is session fixation possible?)
- Are your forms protected against XSS?
- Do you have any mechanism to prevent brute-force attacks, like locking out an IP address after X failed attempts? Do you need to keep track of who logs into a given account? (e.g., should you be notified if someone logs into an administrator account from an IP address in southeast Asia if your site is run solely by people who live in the US?)
Minimal password requirements are a definite must. Also, use some type of CAPTCHA.
Here is a link that shows some important security issues:
link
Not necessarily a security feature, but the user experience of the system should not be confusing. Most users have seen the uname/pword login form and some have seen OAuth/OpenId. Beyond that you enter a world where you need to ensure your intentions are clear.
I made a small list of the most usual security problem seen in here : Historical security flaws of popular PHP CMS's?
It lacks the authorization != authentication problem barfon answered, all the anti spam protection you should have and I'm sure some other things I can't think of right now.
加载中,请稍侯......
精彩评论