On Fri, Aug 17, 2007 at 11:49:42AM -0400, Perrin Harkins wrote: > On 8/17/07, Carl Johnstone <[EMAIL PROTECTED]> wrote: > > You'll almost certainly have to log it per-IP address rather than an a > > cookie or session or anything like that. Any real password-cracking bot is > > unlikely to honour your cookies or session identifiers. > > Last time I needed to do this we had a fallback to IP if no valid > cookie was found so that it couldn't be evaded by simply refusing all > cookies. There are workarounds for this workaround though, so it is > an ongoing battle. AOL proxies were the main reason for doing this.
I missed something along the way in this thread. Cookies? Is that to block a specific client? I'm just thinking of blocking specific logins when too many failed logins are attempted. Even in cases where the login is not a valid login in the application. Could be implemented somewhat transparently by overriding login(). By the way, any examples with the "new" C::P::Cache to pass expires on a cache set? Also look forward to the appearance of Catalyst::Plugin::Cache::ControllerNamespacing. Or something to partition the cache. I want the sessions and failed login cache to be separate. Is August and not seeing nothingmuch around related? What's the status of the Cache plugin(s) wrt. backends? I want to be able to swap between FastMmap and Memcached via a config option. -- Bill Moseley [EMAIL PROTECTED] _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
