Document portal – To allow our customers to download reports that we have created. The customer must also have the ability to upload documents too.
User registration
– only when initiated by admin users
– email gets sent to requested user (OT link that expires after 12 hours)
– user will then follow a link to the system to register and create their own password (enforce password complexity, min 8 with 3 character groups)
– Allow multiple users to be assigned to a client
User authentication
– must be built with security in mind
– secure code review will be undertaken
– account lockouts (use re-CAPTCHA after 2 incorrect attempts, then lockout after 10 attempts for 30 mins)
– using a secure cookie mechanism (use platform session token with httponly & secure flags)
– Lock session to IP and not allow simultaneous login sessions
– Generate email to client on password change or lockout
– Session timeout after 30 mins
Forgotten password function
– allows registered users to reset password by following a link sent to their registered email address (with re-CATPCHA and/or security question?)
– must not allow username enumeration
Administration function
– Ability to upload and download documents from all registered users areas
– Create, delete and edit users details (including account unlocking)
– Initial administrator must be able to add further admin users
– Full logging – user auth, download, upload etc
– Account search feature – client, forename, surname and username
Upload and download documents
– Users must not be able to see other users documents
– All documents will be saved locally on the hosting webserver
– Users have the ability to delete documents within their account (although not to delete them physically from the disk)
– Alert specific users when a report is downloaded
– Limit file extension, content (could create a blacklist/whitelist) and size
Use stored procedures for all SQL queries. Every parameter is sanitised on the server side. Session token and username checked for every transaction.
All code is fully commented so we can understand it.
