If you're trying to defend against a brute-force password guessing attack, you could add a captcha to your logon form after x failed login attempts from one IP address.
Maarten On Fri, Dec 5, 2008 at 5:20 PM, Jeremy Thomerson <[EMAIL PROTECTED]>wrote: > You definitely do NOT want to intentionally sleep a thread - that halts the > request, and uses up your thread pool. You instead want the request to > complete, but you don't want to allow them to continue trying. So, that > being said, you could: > > 1 - add a value to their session like "private long blockedFromSignInUntil" > and when they've exceeded your threshold, set that for ten minutes future. > This isn't bulletproof since they could start a new session by using a new > window / browser / blowing away cookies. > 2 - if it's on a per-username (rather than a per-session) basis, add a > similar value to the user - not allowed signin until.... This is probably > better anyway, because if I'm "nefarious guy" and I'm trying to sign in to > "mr nice guy" account, you lock "mr nice guy" account because you are in > fact detecting an identity theft attempt. > 3 - you could do a combo of the above so that I, "nefarious guy" when I get > blocked from "mr nice guy" account, can't move on to "mr unsuspecting" > account. > > Then, just have your sign in form be aware of that value in session or user > and not allow a sign in to that account or from that session until the > timeout is expired. > > But as a general rule of thumb, never use Thread.sleep in a web app - > especially somewhere in the request cycle. It'll be shooting yourself in > the foot. > > Hope this helps, > > -- > Jeremy Thomerson > http://www.wickettraining.com > > > On Fri, Dec 5, 2008 at 9:46 AM, Anton Veretennikov < > [EMAIL PROTECTED]> wrote: > > > Hello all Wicket users. > > > > One more question today. > > I need to implement appearence of sleep if "user" (session, IP > > address) tries incorrect login many times. > > Thread.sleep() seems to stop all sessions at once. Any ideas? > > > > Thank you! > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > >
