1. I was thinking on corporate solution, where any station has its own ip
(maybe from dhcp)
2. I suggested only to store IP, not to compare on next-login or permanent
block this IP. It is for future investigation only.
3. This organization may have been "yet blocked" because when has common
acount its was disabled any way.
Maybe this all solution is not needed or is not good think over. That was
only my little remark.
JD
----- Original Message -----
From: "Hubert Rabago" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 11:24 PM
Subject: Re: Login Security
> Several organizations expose the same IP address for most or all users.
You'd be
> blocking entire organizations because of one bad login.
>
> --- Janusz_Dziadoń <[EMAIL PROTECTED]> wrote:
> > I think, that you should register blocked IP anyway in database. It
helps to
> > explain situations like below.
> >
> > Try to imagine situation like this:
> > one user (A) really doesn't like another user (B) or system
administrator
> > (C). Than (A) tries to log in into his (B or C) account with bad
password.
> > His (B or C) account is disabled. Than A person can accuse person B or C
> > that they are not work.
> >
> > Maybe it seems silly, but I have such not good experience.
> > Machine IP from wich was maked last try to log-in may helped to explain
all
> > circumstances.
> >
> > JD
> >
> > ----- Original Message -----
> > From: "Hookom, Jacob" <[EMAIL PROTECTED]>
> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 16, 2003 10:46 PM
> > Subject: RE: Login Security
> >
> >
> > > Do a HashMap in the action:
> > >
> > > Key is username
> > > Value is Integer or Date
> > >
> > > If ((value = map.get(key)) != null)
> > > {
> > > if (value instanceof Date)
> > > {
> > > // compare timeout dates
> > > }
> > > else if (value instanceof Integer)
> > > {
> > > if (value == 3)
> > > {
> > > map.put(key, new Date(deadline));
> > > }
> > > else
> > > {
> > > map.put(key, new Integer(value + 1));
> > > }
> > > }
> > > }
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Ciaran Hanley [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, December 16, 2003 3:43 PM
> > > To: 'Struts Users Mailing List'
> > > Subject: RE: Login Security
> > >
> > >
> > > I am storing the username and password in a table in a mySql database.
> > >
> > > I think I will just add a field "last_failure" to the user table...
and
> > > after 3 unsuccessful attempts I will record the time in the
> > > "last_failure" field and work out if the timeout has elapsed by
querying
> > > that field and comparing it to the current time.
> > >
> > > That way, I wont be using cookies, and will avoid blocking IP address.
> > > Does that sound ok?
> > >
> > > Ciaran
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > > Sent: 16 December 2003 20:46
> > > To: [EMAIL PROTECTED]
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: Login Security
> > >
> > > Avoid the cookie solution, it's too easy for the user to bypass your
> > > security measures and as mentioned below, this solution won't work if
> > > the browser has disabled cookies.
> > >
> > > Don't block IP addresses because they can be easily spoofed and
> > > redirected. Dynamic IPs pose a problem as you could be blocking out a
> > > legitimate user.
> > >
> > > How are you storing your list of usernames/passwords? Would it be
> > > possible to add an extra bit of data next to each username/password
> > > indicating when the login is valid?
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, December 16, 2003 9:09 AM
> > > To: [EMAIL PROTECTED]
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: Login Security
> > >
> > >
> > > You could put a cookie on the user's machine that expires after a
> > > certain
> > > period of time. Of course this only works when cookies are turned one
> > > and
> > > an experienced user could always manually remove their cookie.
> > >
> > > Another solution maybe is to get the user's IP address from the
request
> > > Header and add it to a list of invalid IP address with their times of
> > > entry.
> > > Then upon a new request, you will have to check the list and determine
> > > how
> > > long ago the IP address was added.
> > >
> > > I'm just brainstorming here so anybody can criticize these suggestions
> > > freely.
> > > -Jonathan
> > >
> > > -----Original Message-----
> > > From: Ciaran Hanley [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, December 16, 2003 10:55 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Login Security
> > >
> > >
> > > I'm writing a web application using JSP and Struts. I want to add a
> > > security feature to my login page where if a user has three
unsuccessful
> > > logins they will be unable to log in for a certain period of time
> > > afterwards. I can count the number of unsuccessful logins ok but how
I'm
> > > not sure how to give a timeout after 3 failures. Any ideas how I could
> > > implement this?
> > >
> > > Thanks
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> > > ----------------------------------------------------------------------
> > > Juz czas! Wyslij kartke na swieta! >>> http://link.interia.pl/f17a4
> > >
> > >
> > >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ----------------------------------------------------------------------
> Juz czas! Wyslij kartke na swieta! >>> http://link.interia.pl/f17a4
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
