How about this proposal? Someone opens the login page. In addition to the visible fields username and password and the hidden field csrftoken we add another hidden field. This field contains the earliest (server-)timestamp a user might login, and lies in the near future, for instance now() + timedelta(seconds=5). That value is cryptographically signed <https://docs.djangoproject.com/en/4.0/topics/signing/#using-the-low-level-api> .
In addition to this, we disable the submit button and add a small Javascript function which sets an interval corresponding to the mandatory login delay. After that interval expired, the submit button is enabled again. A malicious client who bypasses the disabled button and attempts to submit the login for, will receive a HTTP response with an error code > 400. What are the advantages? - Django doesn't have to store any state of users and/or IP addresses attempting to log in. - Django doesn't have to delay itself to throttle requests. This btw. is a DoS attack vector by blocking server threads. - We transfer responsibility for delaying login requests to the client – who can't bypass them. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/b64d44a3-c7dd-4f9a-bf4f-1b8e9818fb64n%40googlegroups.com.