in reply to Re: real time server side validation
in thread real time server side validation

Agreed

Further to that, I would also suggest that you block or slow down the IP address, after a certain number of failed login attempts from the same address, as otherwise, a cracker could try the same password with a long list of Different usernames, in order to try to break in that way.

If I where you, I would impose a 1 second delay between login attempts for the same username or from the same IP address block, and after 3 failed attempts, I would double the delay for each subsequent failed attempt up to a maximum of around 5 minutes.

I don't think there is anything to be gained from using AJAX or suchlike to check usernames & passwords in real-time. As roboticus said, that would just make cracker's job easier, and also give them a way to overload your server and inflict a denial of service attack. A simple form submit with both a username and password on it should be sufficient.

One thing you might consider, is to use JavaScript on the client to hash the user supplied password with a random salt string supplied by the server, so that if the password submission form is intercepted over an insecure WiFi or suchlike, a cracker will not be able to re-use it later.

Replies are listed 'Best First'.
Re^3: real time server side validation
by yakoval (Novice) on Dec 14, 2010 at 17:17 UTC
    Thanks for your comments. But if we put aside a security part and take a real user (not a cracker) - which made a mistake (or forgot username (password)) while trying to sing in to his account. I have to say him "The username or password is incorrect. Please try again." Maybe the simplest way in such case to redirect a user to another page with the same fields (username and password) with a message about incorrect data?
[reply]

In Section Seekers of Perl Wisdom