1.6 KiB
2020-07-15
Compromised Account Credentials
[2020-07-15 Wed 08:47] This morning's plan for updating the Login Throttling code:
- Tighten IP throttling to 3 requests in 12 hours
- [X]Revert last night's changes and move them to a separate branch for rework
- Log additional information when a login attempt is throttled (username, IP, Sift ID)
- Extend session timeout to reduce natural re-authentication to 7 days
- Add dynamic throttling based on Sift ID [2020-07-15 Wed 13:28]
- Implement CSRF on the login form by moving the form to the sites codebase (CCPANEL-10596)
Gavin M Roy 28 minutes ago Sure, my main reference for them would be to point out how Tornado does it as a built-in behavior: https://www.tornadoweb.org/en/stable/guide/security.html#cross-site-request-forgery-protection https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1489 https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1371 https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1527
Pages are moved into the CP with CSRF tokens being injected into the session and the form. The controller is updated in a separate MR to require the token and validate it against the value in the session. We're updating the F5 to route the login and landing pages to the staging environment to test that they load correctly. We'll do the same in production tomorrow, and then release the login controller changes once that's done.