Thank you for valuable information! Tony.
On Sat, Dec 6, 2008 at 12:36 AM, Maarten Bosteels <[EMAIL PROTECTED]> wrote: > If you're trying to defend against a brute-force password guessing attack, > you could add a captcha to your logon form after x failed login attempts > from one IP address. > > Maarten > > On Fri, Dec 5, 2008 at 5:20 PM, Jeremy Thomerson > <[EMAIL PROTECTED]>wrote: > >> You definitely do NOT want to intentionally sleep a thread - that halts the >> request, and uses up your thread pool. You instead want the request to >> complete, but you don't want to allow them to continue trying. So, that >> being said, you could: >> >> 1 - add a value to their session like "private long blockedFromSignInUntil" >> and when they've exceeded your threshold, set that for ten minutes future. >> This isn't bulletproof since they could start a new session by using a new >> window / browser / blowing away cookies. >> 2 - if it's on a per-username (rather than a per-session) basis, add a >> similar value to the user - not allowed signin until.... This is probably >> better anyway, because if I'm "nefarious guy" and I'm trying to sign in to >> "mr nice guy" account, you lock "mr nice guy" account because you are in >> fact detecting an identity theft attempt. >> 3 - you could do a combo of the above so that I, "nefarious guy" when I get >> blocked from "mr nice guy" account, can't move on to "mr unsuspecting" >> account. >> >> Then, just have your sign in form be aware of that value in session or user >> and not allow a sign in to that account or from that session until the >> timeout is expired. >> >> But as a general rule of thumb, never use Thread.sleep in a web app - >> especially somewhere in the request cycle. It'll be shooting yourself in >> the foot. >> >> Hope this helps, >> >> -- >> Jeremy Thomerson >> http://www.wickettraining.com >> >> >> On Fri, Dec 5, 2008 at 9:46 AM, Anton Veretennikov < >> [EMAIL PROTECTED]> wrote: >> >> > Hello all Wicket users. >> > >> > One more question today. >> > I need to implement appearence of sleep if "user" (session, IP >> > address) tries incorrect login many times. >> > Thread.sleep() seems to stop all sessions at once. Any ideas? >> > >> > Thank you! >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
