on 5/27/03 2:33 AM Bertrand Delacretaz wrote:...I like that, but isn't there a possible attack where a client makes a
lot of requests without cookies/session IDs, and overflows the poor
server who's creating millions of Sessions without asking anything
first?
the same could be said for continuations or for any other client-initiated server-side memory occupation....
Yes, I think the only safe way of avoiding such DOS attacks is to create sessions/continuations only *after* a successful login is received from the client.
Which means that, to be safe, login will have to be handled outside of Flow.
It's not a concern of the FOM then, goes back to the application design level.
...No. if you use a while(true) {} loop with sendPageAndWait() in the
middle, you are creating a continuation for every failed login action.
This is a potential DoS attack but it could be super-easy to avoid
looping from more than n times from the same IP address....
Not so easy I think, you might be getting many requests from the same IP if clients are using NAT, it is fairly hard to select "n" and the max.rate of session/continuation creation that you accept. But that's off-topic here.
-Bertrand
