On Thu, 6 Apr 2000, Gunther Birznieks wrote:
> Vivek,
>
> Is it possible that a special auth handler could be written that stores the number
> of bad authorizations for a userid and the last time of the hit in a DBM file for
> quick lookup? Then, configure an environment or server variable if the auth screwed
> up more than 3 times within the last hour (or some other prespecified time)?
>
> Although HTTP is stateless, the username would at least tend to remain constant in
> most cases of hacking or user problems I would think.
That opens up a nasty Denial of Service attack though. All I have to do
is try to log into the "gunther" account three times in rapid succession
with a bogus password, and WHAM, the real Gunther is locked out. Granted,
it's possible to work around this, but the best way is probably going to
be cookie based like Vivek suggested.
-Mark
