Having a 5 seconds “forbidden window” could be bad UX for users with password managers (like LastPass, or even just Apple’s built-in whatever-they-call-it fingerprint-scanning password autofill). It often takes about a second to submit the login form in such cases.
Maybe 1 second interval would work, considering that some time will have been already used up even before the page renders. But this probably doesn’t solve the original issue. Fran > On 05.04.2022., at 16:05, Jacob Rief <jacob.r...@gmail.com> wrote: > > How about this proposal? > Someone opens the login page. In addition to the visible fields username and > password and the hidden field csrftoken we add another hidden field. This > field contains the earliest (server-)timestamp a user might login, and lies > in the near future, for instance now() + timedelta(seconds=5). That value is > cryptographically signed. > > In addition to this, we disable the submit button and add a small Javascript > function which sets an interval corresponding to the mandatory login delay. > After that interval expired, the submit button is enabled again. > > A malicious client who bypasses the disabled button and attempts to submit > the login for, will receive a HTTP response with an error code > 400. > > What are the advantages? > > Django doesn't have to store any state of users and/or IP addresses > attempting to log in. > Django doesn't have to delay itself to throttle requests. This btw. is a DoS > attack vector by blocking server threads. > We transfer responsibility for delaying login requests to the client – who > can't bypass them. > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/b64d44a3-c7dd-4f9a-bf4f-1b8e9818fb64n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/86BEC74C-DB8D-4844-BE1F-2C176A285521%40gmail.com.
