Yii authentication. Security issue ?

pupadupa · January 7, 2011, 6:04pm

Hi everyone!

I’m new in using Yii framework, and I’ve got questions

I’ve played with authentication and realise one thing which may be kind of security issue:

In yii blog example ( %yii%/demos/blog/index.php/site/login )… I’m trying to login:

enter username(demo)
start entering default password (demo)

So… if I enter wrong password I get a message “Incorrect username or password” even if I didn’t click Loggin button. System tell me that my passwor wrong untill I type right one.

Here is my questions:

A)So isn’t it dangerous? I mean if there some delay in authentication function? If not I think that somebody could use password guessing script or smth.

B)How could I caught such password guessing? Or how could I add delay in authentication (1-2 sec) - in this case it will be hard to use password guessing script

C)How could I show message "Incorrect username or password" only after user click logging button.

Thanks!

samdark · January 7, 2011, 7:02pm

A) Blog example is just an example that does not focus on security. If your system have sensitive data you should always use some extra security measures like adding delays, CAPTCHA, HTTPS etc.

В) You can write your own authentication routine as you want by customizing UserIdentity and controller that handles login form. You can save last data entry time or count to session and then on next request get this time from session and check if user is allowed to enter data again.

C) Disable AJAX validation. If I remember correctly you should set the following property to false: http://www.yiiframework.com/doc/api/1.1/CActiveForm/#enableAjaxValidation-detail