SSL Enforcing and password hacking

[tymek2]

There definitely should be an option to enforce secure SSL connection with the app

I've made some work-around in after login global hook:
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
But this does not secure logon screen

On the other hand is there any protection against trying to scan password?
(I mean using bot that logs time after time)

[a.gneady]

Try using this code on the top of "__global.php" directly after the opening tag <?php rather than inside the login_ok hook.

Invalid logins cause the application to return a "403 Forbidden" header ... You can use a tool like CSF for example to block IPs after, say, 10 occurances of 403 statuses within 10 minutes ... this would effectively block brute force attacks.

[jeevay]

what about .htaccess ?

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]

[a.gneady]

Indeed, that's a much more elegant solution, @jeevay. Thanks for sharing!