AppGini Community Forums

A place where AppGini users can exchange ideas and help each other.
https://forums.appgini.com:443/phpbb/

SSL Enforcing and password hacking

https://forums.appgini.com:443/phpbb/viewtopic.php?f=6&t=1961

Page 1 of 1

SSL Enforcing and password hacking

Posted: 2016-02-03 18:51
by tymek2
There definitely should be an option to enforce secure SSL connection with the app

I've made some work-around in after login global hook:
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
But this does not secure logon screen

On the other hand is there any protection against trying to scan password?
(I mean using bot that logs time after time)

Re: SSL Enforcing and password hacking

Posted: 2016-02-03 19:57
by a.gneady
Try using this code on the top of "__global.php" directly after the opening tag <?php rather than inside the login_ok hook.

Invalid logins cause the application to return a "403 Forbidden" header ... You can use a tool like CSF for example to block IPs after, say, 10 occurances of 403 statuses within 10 minutes ... this would effectively block brute force attacks.

Re: SSL Enforcing and password hacking

Posted: 2016-04-23 21:25
by jeevay
what about .htaccess ?

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]

Re: SSL Enforcing and password hacking

Posted: 2016-04-24 20:22
by a.gneady
Indeed, that's a much more elegant solution, @jeevay. Thanks for sharing!
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/