Disadvantage is that the server will keep the request processing thread occupied during the waiting period. A brute force attach that fires multiple requests simultaneously will not be stopped by this and will bring the server to its knees even more quickly. So Johan was right, you should not do this in the web application.
Now if you start using AsyncWeb it would be quite another story of course... Regards, Erik. Johannes Fahrenkrug schreef: > That's not a bad idea... that would mean delaying a response for a > second or two _every time_ a false login happens... That would be a > rather simple but yet effective solution, too: It would render brute > force useless and behave quite similar to the Linux shell login you > mentioned.... > -- Erik van Oosten http://www.day-to-day-stuff.blogspot.com/ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user