So, while I have normally developed applications on the side or as a hobby site it was realitively ideal to add security check points in my scripts to log bad behavior. For example a login script that logs the ip of user input if matched to a bad array. Or even taking it a set further to log incidents where end users change hidden fields or simply try to break the script.
However, now that I would like to start designing more professional applications I feel that doing so would be a waste of my time and resources to actually log these events and browse through them when I can simply prevent them from happening or getting that far. For example, if a user changes a hidden field from what it should be I can simply prompt the error and return them to the page. Because they caused a undesired script function no need to be fancy about it. Im not talking about problems that could arise when typical users enter data; Im speaking on the terms of people that actually are trying to cause problems.
So that is my question, unless specified by the client or need of the application I dont plan on adding a security log check in my scripts. In doing so I will simply place a exit or redirect if that error occurs. I was curious on how this is looked upon?
I still do the same things... I run a game site (http://www.daysofwar.com - A little shameless self-promotion) and I log the IPs of people and do tons of IP tracking (for various reasons - logins, clicks, etc.). The one thing I usually never do is store things in hidden form fields.
Pretty much everything that may need to be stored gets cleaned/validated an thrown in the db immediately. Everything that isn't user-entered is at least stored in a lookup table of some sort. It is a little more db intendsive, but I personally don't trust people enough to leave editable info of any type in hidden fields (even if is encrypted). On more sensitive pages, I also check the referring page to make sure it came from my server. I know this can easily faked, but it probably catches 90% of the tries from people who don't know any better.
Exactly, trust!
Dont get me wrong I dont store any data hidden in those type of fields either but I wanted to place a simple example up. My problem with the logs is that even thou I usually implement it into my applications I hardly ever actually view them. Which is why I would rather just prevent the abuse from pushing through then to stop it and log it.
For example, if I have a user login screen and the userid must be all numbers. There is a JS feature that only allows numbers in that field. However a user can simply turn off the JS and enter letters which would cause a error in the mysql query. So I have a server side check to stop it from processing if the field contains anything else but numbers. As well as doing this it also logs the users input with IP. I have less than 5 new entries a month and usually because of a JS mistake allowing simple letters.
I now feel that while I hardly ever check the logs, it takes up slight processing time as well as db space that slows the DB process as well. the whole debate started when I started programming a new application and was starting to add the function for the check, the db entry and the function to enter the info into the db. I felt that this 10-20 mins isnt really needed if I know that the user cant do anything about it. While I like the idea of know what users put in...but could you imagine the log for Yahoo! Mail or MySpace? If you know your script can prevent it 100%, is it worth adding the log?
I guess it depends on the nature of the site.
If the site deals with sensitive data - in which case I would expect a secure connection - then, yes, I would log the occurrence and maybe even send an alert email (to negate the need to constantly check the logs). Otherwise, while I would still implement security checks, I would not do it at a level that adds unnecessary complexity to the coding.
When I wrote the admin portion to my game, I created tons of logs (IP logs, Click logs, Security Logs, Multiple Account logs, "Suspect Account Logs", "Weapon Purchase Logs", Attak Logs, Event Logs, Error Logs, etc.) to catch people cheating or for troubleshooting purposes. Eventually I got so much traffic (or at least enough to make the logs huge) that I hardly ever check them and they just started to eat DB space. In those cases, I ended up creating automated processes that read the logs and handled most of the problems or emailed me for other ones. The logs are a nice thing to have when someone complains about something so I can trace a problem or show that what was supposed to happen actually did, but in retrospect I may have gone a little too far with the it. Most of the logs are for customer service requests, but I have been able to use them to catch people trying to wrongfully change data. IMHO, it's better to have and not need then to need and not have... Though, I suppose that if you know that it would be caught 100% of the time then there is no need for the logging.
As far as apps that I've written for my job, I only add stuff that is included in the analysis phase (maybe a little more =]). Most of the security logging is handled on a case-by-case basis and is only as good as the client is willing to pay for...
Sphinx is right though that it really should be considered on a per-case basis due to time constraints and other limitations.
BTW: Did you have a hand in making Rankk? I noticed that your name appears in the storyline, but you're only a Scribe (not that there is anything wrong with that...) =]
I know what you mean by using logs in that case, they are usuable and serve a function on the site other reasons than simply security. I feel easy to say that I have decided to use the logs only where I need to instead of through user input in the site. For example a few years back I worked for a bank and created the online intranet that required a login to certain section. While typically it wasnt requested that I setup logs throughout the site I did anyways and found potential employee problems. But of course when dealing with sensative information as sphinx put...its as if it should be required. Thou the site I am creating now, I do not feel that I need logs to tell me if someone is doing something bad because I know its protected....if you are able to log it then its still protected...Im just taking out the extra step. Its very unlikely I would ban the user or IP if I found something because I just wouldnt mind it.
I actually had no hand in the making of Rankk. The story is actually from the first version which was called The Pyramid that was online about 3 years ago...the story is maybe 4-5 years? I think it was placed up for historical reasons...I even have a extended version of the story located at http://sk-pyramid.netfirms.com/ which was a slight mirror of the previous site. (Flash-Back for former users & I actually prefer the story located at the mirror than the official one...its alittle more unique and detailed) Yes Yes...I know my rank is lower than the rest, soon enough thou. :D
http://sk-pyramid.netfirms.com/ nice site !
edited: opps wrong site.. i was refering scarabaeus http://www.daysofwar.com site.