I'm wondering which additional security measures one could take besides a traditional login with user and password.
What do you think of this one:
_manually adding a cookie to each client which includes a secret key
_this cookie is not served by the webserver, it is actually copied "by hand" to each client computer
_if a client connects to the web-app the server graps that cookie and if the containing secret key is ok, the traditional login box is presented where the user has to enter the user-password开发者_开发技巧 combination
_communication between client and server is encrypted with https
Thus a potential intruder would first need to get the cookie from the clients computer, which is only possible with having access to the clients computer.
This would work only for a very small user-base and an admin willing to do this manual work.
Sounds like you want two factor authentication. Look into SecureId or some other method such as using mobile phones with one time passwords.
Don't bother. You're making your life difficult, and not greatly making a malicious user's harder. Also, you're making the user experience terrible, because what if they clear their cookies? If someone leaves their computer unlocked, they literally bypass your entire idea, in one foul swoop.
Stick to common proven authentication. Don't make your own, as problems have been found and fixed with other authentication methods that you haven't thought of as yet.
If this is an intranet with a small user base (and I assume a single admin, from your comment), rather use Windows Authentication (or the like, if not using windows) to the site?
Have you considered asking for additional information ?
For example, some online banking requires your email address, state account was opened in, password, and you must verify the picture shown when you log in is the picture that you selected when you set up this account. If this computer/IP address is not recognized by the system (via cookies), you must also express permission to continue forwards.
If you "forget your password", you have to answer from a random bank of security questions.
You can use HTTPS and distribute your certificate manually, but it's a bit of a pain. Another option would be using a "securid token" mechanism, but again...pain.
http://en.wikipedia.org/wiki/SecurID
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论