Login page

I have a login page with username and password. It goes to a servlet verifies credentials and if the user enters wrong password for 3 times then the account is locked for 15 minutes. If the login is success then sets up the data in session and redirects to the home page.

Is this enough for security purpose ? And as far as i know this is just basic authentication. How can i provide high security for my login ?

Is there any open source API available with enough security implemented ?

Thanks ;)

Hi!

You are starting good, but dont forget to check the validity of your session at each request.
Otherwise you are making a big door you cannot open without key, but with no fortress around it.
You can use a servlet filter for authentication of your requests comming in.

But, if you want a STRONG authentication/security/login/whatever...userid and password is never a good solution.

You have to make it out for yourself how important your application is.
If you make a forum or something...well...uid and pass will do...

on the other hand, FOR EXAMPLE, if you are making a banking application, never use uid and pass. Use something else. Like samrtcards, or digipass, or client certs.

Hi
It is just a web application like photobucket.

I wanted to know this much only whether validating session in each request is enough or something extra is needed.

i use email as username with jquery validation.


Secondly,

Is locking of account for 15 min enough to do when someone tries to flood my server with login requests or i should use recaptcha tool.
Any how i will be making request to the other server(recaptcha) for validation and in locking case i will just update the database. Which one is better ?

a capthca system is never a bad idea.
But try to make one yourself. It's not that hard.
There are plenty of examples on the net. Just google for them.

Try to avoid using external servers for accompliching projects.
That is because after that you are dependent of them.
Especially when it concerns security.

The 15 minutes interval is also a good idea, but i would lower the waiting time.
What if someone is has really missed 3 times?
i think 2 minutes will do.

For extra security you can ask a password or captcha every time a user want to update/upload something...It lowers the usabillity, but security allways is in cost of usabillity...

Anuj Batra wrote:I have a login page with username and password. It goes to a servlet verifies credentials and if the user enters wrong password for 3 times then the account is locked for 15 minutes. If the login is success then sets up the data in session and redirects to the home page.

Is this enough for security purpose ? And as far as i know this is just basic authentication. How can i provide high security for my login ?

Is there any open source API available with enough security implemented ?

Thanks ;)

There is standard security system that's an integral part of the J2EE standard and comes with every major J2EE server, from the minimalistic Tomcat server right up through and including the biggest, most expensive commercial servers. You can read about it in just about any introductory book on J2EE in the section where they talk about form-based login and security settings in the web.xml file.

Writing (and debugging and maintaining) your own security system is inefficient, expensive, and dangerous. In all the years I've worked with J2EE, I've never yet encountered a Do-it-yourself "security" system that had any security worth mentioning, and most could be circumvented in under 5 minutes by unskilled personnel.

HI Tim,

Thanks for the information. I tried working with realms as well. But i suppose they do not give enough flexibility.

BTW i found JAAS package in java. But actually couldn't find any resource simple enough to understand and implement it.

Can you tell me is JAAS good to implement ?

In all the years I've worked with J2EE, I've never run into an application whose architecture couldn't benefit from container-based authentication and authorization (Realm-based security). No other security system can block requests before they ever reach application logic, and what can't reach logic can't exploit holes in the logic. Nor do any other security systems have the ability to hook into the built-in J2EE security functions.

When URL screening and roles don't provide enough subtlety, they still can be an invaluable first-line defense, and are easily augmented. The user id is almost always a good key into a larger, more fine-grained secondary security system, and because the user ID comes direct from the server itself, it's practically un-spoofable.

You can use this, for example, to add additional security via JAAS or the Spring Security Framework. These systems, however, are not mutually exclusive with standard container-managed security. Tomcat, for example, does come with a JAAS Realm as part of the basic package.