On 16/12/2003 21:43, "Ciaran Hanley" <[EMAIL PROTECTED]> wrote:
> > I am storing the username and password in a table in a mySql database. > > I think I will just add a field "last_failure" to the user table... and > after 3 unsuccessful attempts I will record the time in the > "last_failure" field and work out if the timeout has elapsed by querying > that field and comparing it to the current time. That's the way ;D Pedro Salgado > > That way, I wont be using cookies, and will avoid blocking IP address. > Does that sound ok? > > Ciaran > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 16 December 2003 20:46 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > Avoid the cookie solution, it's too easy for the user to bypass your > security measures and as mentioned below, this solution won't work if > the browser has disabled cookies. > > Don't block IP addresses because they can be easily spoofed and > redirected. Dynamic IPs pose a problem as you could be blocking out a > legitimate user. > > How are you storing your list of usernames/passwords? Would it be > possible to add an extra bit of data next to each username/password > indicating when the login is valid? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 9:09 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > > You could put a cookie on the user's machine that expires after a > certain > period of time. Of course this only works when cookies are turned one > and > an experienced user could always manually remove their cookie. > > Another solution maybe is to get the user's IP address from the request > Header and add it to a list of invalid IP address with their times of > entry. > Then upon a new request, you will have to check the list and determine > how > long ago the IP address was added. > > I'm just brainstorming here so anybody can criticize these suggestions > freely. > -Jonathan > > -----Original Message----- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 10:55 AM > To: [EMAIL PROTECTED] > Subject: Login Security > > > I'm writing a web application using JSP and Struts. I want to add a > security feature to my login page where if a user has three unsuccessful > logins they will be unable to log in for a certain period of time > afterwards. I can count the number of unsuccessful logins ok but how I'm > not sure how to give a timeout after 3 failures. Any ideas how I could > implement this? > > Thanks > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]