On Nov 26, 2007 7:47 AM, David Ross @ Wolfeon <[EMAIL PROTECTED]> wrote: > I try not to use by IP due to the problem you specified.
Glad to hear it. > The way I think of the second cookie, is more like a 2nd password. > Sure, there is a possibility of a brute force with it to, but it is > less likely they'll brute force a 2nd session id key along with the > first. Less likely, yes, but still possible. If you're really just concerned with likelihood and probability, as opposed to pure security, I think you'll find the track record of Django's session framework quite suitable for most needs. And if you need to lower the probability of exploitation even further, feel free to apply the signedcookies middleware. It's easy. > What would be interesting is to modify the session framework to "ban" > an ip once it has made several Suspicious attempts. What is the point > of raising a Suspicious exception if it does nothing? But what's the point of banning an IP if you yourself admit that it's not a reliable way to identify someone? Of course, writing something like that would be quite easy to implement in a custom middleware. In fact, you'd be able to have it catch any SuspciousOperation exceptions for any request,[1] which would allow it to function on sessions, signed cookies, or anything else that raises that exception. Just have it cache a dictionary, mapping IPs to the number of SuspiciousOperations, and automatically return HTTP 403 for any IP with a number higher than whatever limit you like. It'd be fairly straightforward, just make sure to store it in a proper cache, rather than a module-level dictionary, since those are unique per-process, and subsequent requests are likely to be served from different processes. -Gul [1] http://www.djangoproject.com/documentation/middleware/#process-exception --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
