You could apply what I described by defining the key as username+"@"+ip
Good idea! -----Original Message----- From: Janusz Dziadon [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 4:20 PM To: Struts Users Mailing List Subject: Re: Login Security I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD ----- Original Message ----- From: "Hookom, Jacob" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security > Do a HashMap in the action: > > Key is username > Value is Integer or Date > > If ((value = map.get(key)) != null) > { > if (value instanceof Date) > { > // compare timeout dates > } > else if (value instanceof Integer) > { > if (value == 3) > { > map.put(key, new Date(deadline)); > } > else > { > map.put(key, new Integer(value + 1)); > } > } > } > > > > -----Original Message----- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 3:43 PM > To: 'Struts Users Mailing List' > Subject: RE: Login Security > > > I am storing the username and password in a table in a mySql database. > > I think I will just add a field "last_failure" to the user table... and > after 3 unsuccessful attempts I will record the time in the > "last_failure" field and work out if the timeout has elapsed by querying > that field and comparing it to the current time. > > That way, I wont be using cookies, and will avoid blocking IP address. > Does that sound ok? > > Ciaran > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 16 December 2003 20:46 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > Avoid the cookie solution, it's too easy for the user to bypass your > security measures and as mentioned below, this solution won't work if > the browser has disabled cookies. > > Don't block IP addresses because they can be easily spoofed and > redirected. Dynamic IPs pose a problem as you could be blocking out a > legitimate user. > > How are you storing your list of usernames/passwords? Would it be > possible to add an extra bit of data next to each username/password > indicating when the login is valid? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 9:09 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > > You could put a cookie on the user's machine that expires after a > certain > period of time. Of course this only works when cookies are turned one > and > an experienced user could always manually remove their cookie. > > Another solution maybe is to get the user's IP address from the request > Header and add it to a list of invalid IP address with their times of > entry. > Then upon a new request, you will have to check the list and determine > how > long ago the IP address was added. > > I'm just brainstorming here so anybody can criticize these suggestions > freely. > -Jonathan > > -----Original Message----- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 10:55 AM > To: [EMAIL PROTECTED] > Subject: Login Security > > > I'm writing a web application using JSP and Struts. I want to add a > security feature to my login page where if a user has three unsuccessful > logins they will be unable to log in for a certain period of time > afterwards. I can count the number of unsuccessful logins ok but how I'm > not sure how to give a timeout after 3 failures. Any ideas how I could > implement this? > > Thanks > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > ---------------------------------------------------------------------- > Juz czas! Wyslij kartke na swieta! >>> http://link.interia.pl/f17a4 > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
