A simple idea for a log in script.

Hi,
I have an idea, and i would like to know what security risks are being taken by using this method.

1) Input username and password
2) Check to see if the user and password is the same as inputted in the database.
3) Update a column called "ip" and insert the current ip address in there.
4) Create a cookie and a session. insert session id in to dbase
5) when a link to a secure page is clicked, it will first do the following:
a. check for the cookie
b. check if the current ip fits in with the one in dbase
c. see if the session id is the same as the one in dbase.
6) Continue browsing, else show the log in page.


So what you think?

... sounds good

will that stop brute force http post/get floods via proxy and DB injection exploits ?

what is wrong with using and writing to .htaccess/db/pwfile via script for login entry ?

Brute Force, can you explain please? I haven't heard about this!

brute force http request floods replicate legitimate http headers and get/post requests and make literally thousands upon thousands of requests GET and POST sends/requests over the internet. The smart attacker will use a list of anonymous proxy servers, holding the connection until it is dropped, and use smart cookie management.

This can slow down and possibly freeze a web server/DB server if there isn't bandwith/load management high enough to compensate for the load or security scripts in place checking for said, or limiting the potential for it.

This can be a tedious affair for any web server admin whos' server /script is targeted and doesnt have a defense mechanism(s) built in for this. He/she usually has to manually reads the logs and manually bans the proxy ip's, unless they have a flood protection script that automatically bans flooding ips.

And if they are range banned you are limiting legitimate users.

Most decent content management systems have script protection in place for the inputs, limiting the potential and damage it can cause.

There is a web server/script stress testing tool available at http://cafecounterintelligence.com to test any script or webserver you own, but be very careful lol ... it is called JackHammer ... there is also a drop-in, configurable php script that helps to protect against this form of attack there as well, called CCISecurity, and anotehr for configuring downlaods with CCISecurity, called Filepipe.php

here is a decent page to look at also ... might help you in


http://www.devshed.com/c/a/PHP/Creating ... in-Script/