Also, some legitimate people turn off cookies. In addition, weird browsers
(especially PDAs with limited memory) tend not to implement cookies. So those
are considerations for locking out users that may be legitimate.
However, I would rather think that the cookies would be an advisory security
mechanism used in conjunction with the 3 strikes. Not something that a user has
to use in this case, but something that helps make sure some yahoo with a
browser doesn't do the DoS attack along with the 3 strikes.
Cookies are, of course, spoofable so that then becomes something that you would
have to watch out for from a serious hacker. I guess at that point it's just a
matter of tradeoffs again...
Nicolas MONNET wrote:
> Ahem, now if we have to take AOL users into account ... j/k.
>
> Actually, I don't see how cookies could be implemented; if the attacker
> rejects cookies, how are you going to do it? ...
>
> On Fri, 7 Apr 2000, Mark Imbriaco wrote:
>
> |What about folks who are behind proxies? (ie: AOL) It is not all that far
> |fetched to consider that an attacker and a legitimate user could both be
> |coming from AOL -- neiter is it farfetched to consider that they may be
> |assigned the same proxy server on the AOL network.
> |
> |There ARE workarounds to the issue, my point was simply that Vivek's
> |cookie idea is probably the best of the (admittedly numerous) bunch.
