I think I've been down this path before. I'm not sure if this is still the case but in some instances such as AOL browsers, user's can actually have a different IP address per request. As I said that was a while ago so I'm not sure if that still stands. Can anyone confirm this?
Kola >> -----Original Message----- >> From: Andy Ousterhout [mailto:[EMAIL PROTECTED]] >> Sent: 13 December 2002 15:24 >> To: CF-Talk >> Subject: RE: Session Variables (was Login/Password screen) >> >> Ok, let me restate to be sure that I understand... >> >> The security issue for counting login attempts is that a User can >> continue >> attempts so long as they remove CFID & Token from the URL and turning off >> / >> deleting cookies. This can be countered by: >> >> 1. Tracking failed logon attempts to IP address. These would have to be >> saved in either DB, file, or Application Variable, then compared before >> each >> logon attempt >> >> 2. Once a valid User ID has been entered, track unsuccessful attempts, >> then >> email User if attempts exceed a certain number. You could also lock the >> account and require user to return Email, click on link, or otherwise >> re-activate their account. >> >> 3. What else....... >> >> Andy >> >> -----Original Message----- >> From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] >> Sent: Friday, December 13, 2002 8:05 AM >> To: CF-Talk >> Subject: Re: Session Variables (was Login/Password screen) >> >> >> Quoting Andy Ousterhout <[EMAIL PROTECTED]>: >> > >> > What do you mean, maintained on the client? >> >> The client has to send the CFID and CFToken. If the client doesn't do >> that, the server will not be able to associate the appropriate session >> variables with the client request. That is not a problem when users are >> logged out when the session fails, but leaves a security risk if the >> client is allowed more when the session is not present. Simply refusing >> the cookies with the CFID and CFToken would give me an unlimited number >> of login attempts. >> >> Always design systems with a fail-close behaviour. >> >> Jochem >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
