Re: Login Security
One idea The third time the login fails, register the time for that user. When a login gets executed, if the last registered time for the given user is less than the time interval you want - the login always fails. The user must have something like: User : id || login | password | last_failure | number_failures Hope it helps, Pedro Salgado On 16/12/2003 15:55, Ciaran Hanley [EMAIL PROTECTED] wrote: I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks
RE: Login Security
BDY.RTF Description: RTF file - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
Btw, remember to flush the map for that username when they are able to login successfully. -Original Message- From: Hookom, Jacob [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:46 PM To: Struts Users Mailing List Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Security
On 16/12/2003 21:43, Ciaran Hanley [EMAIL PROTECTED] wrote: I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That's the way ;D Pedro Salgado That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Security
I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD - Original Message - From: Hookom, Jacob [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Juz czas! Wyslij kartke na swieta! http://link.interia.pl/f17a4 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Security
Several organizations expose the same IP address for most or all users. You'd be blocking entire organizations because of one bad login. --- Janusz_Dziadoñ [EMAIL PROTECTED] wrote: I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD - Original Message - From: Hookom, Jacob [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Juz czas! Wyslij kartke na swieta! http://link.interia.pl/f17a4 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
You could apply what I described by defining the key as username+@+ip Good idea! -Original Message- From: Janusz Dziadon [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 4:20 PM To: Struts Users Mailing List Subject: Re: Login Security I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD - Original Message - From: Hookom, Jacob [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Juz czas! Wyslij kartke na swieta! http://link.interia.pl/f17a4 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Security
1. I was thinking on corporate solution, where any station has its own ip (maybe from dhcp) 2. I suggested only to store IP, not to compare on next-login or permanent block this IP. It is for future investigation only. 3. This organization may have been yet blocked because when has common acount its was disabled any way. Maybe this all solution is not needed or is not good think over. That was only my little remark. JD - Original Message - From: Hubert Rabago [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 11:24 PM Subject: Re: Login Security Several organizations expose the same IP address for most or all users. You'd be blocking entire organizations because of one bad login. --- Janusz_Dziadoñ [EMAIL PROTECTED] wrote: I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD - Original Message - From: Hookom, Jacob [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Login Security
hi! you could have an exponential backoff period, where rather than blocking a person (there's a genuine chance you forgot the password and are trying five combinations or so) you disable the account for a period of time which is proportional to the number of tries the user has made. An exponential relationship between the number of tries and the time disabled would be best. so if someone is trying a dictionary attack then with the number of tries increasing the account will be suspended for longer periods. In terms of implementing it, yes i suppose you will need an extra field to record the time when the account will next be active. security is ofcourse relative. you may go for salts when storing passwords, but that depends on you application and its threat model. but i agree, to prevent someone from maliciously blocking another person's account, you should have a mechanism of maybe storing ip addresses, (though a malicious user could spoof these). regards Ajay From: Janusz Dziadon [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Subject: Re: Login Security Date: Tue, 16 Dec 2003 23:43:41 +0100 1. I was thinking on corporate solution, where any station has its own ip (maybe from dhcp) 2. I suggested only to store IP, not to compare on next-login or permanent block this IP. It is for future investigation only. 3. This organization may have been yet blocked because when has common acount its was disabled any way. Maybe this all solution is not needed or is not good think over. That was only my little remark. JD - Original Message - From: Hubert Rabago [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 11:24 PM Subject: Re: Login Security Several organizations expose the same IP address for most or all users. You'd be blocking entire organizations because of one bad login. --- Janusz_Dziadoñ [EMAIL PROTECTED] wrote: I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD - Original Message - From: Hookom, Jacob [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field last_failure to the user table... and after 3 unsuccessful attempts I will record the time in the last_failure field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution