Hi Jacob,
I actually do like that idea! I don't think it is a good default for
django in general, but I would be interested in a reusable app that
implements this. Is this already available somehwere?
thanks,
tobias
On 05/04/2022 16.04, Jacob Rief wrote:
How about this proposal?
Someone opens the login page. In addition to the visible
fields username and password and the hidden field csrftoken we add
another hidden field. This field contains the earliest
(server-)timestamp a user might login, and lies in the near future, for
instance now() + timedelta(seconds=5). That value is cryptographically
signed
<https://docs.djangoproject.com/en/4.0/topics/signing/#using-the-low-level-api>.
In addition to this, we disable the submit button and add a small
Javascript function which sets an interval corresponding to the
mandatory login delay. After that interval expired, the submit button is
enabled again.
A malicious client who bypasses the disabled button and attempts to
submit the login for, will receive a HTTP response with an error code > 400.
What are the advantages?
* Django doesn't have to store any state of users and/or IP addresses
attempting to log in.
* Django doesn't have to delay itself to throttle requests. This btw.
is a DoS attack vector by blocking server threads.
* We transfer responsibility for delaying login requests to the client
– who can't bypass them.
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/b64d44a3-c7dd-4f9a-bf4f-1b8e9818fb64n%40googlegroups.com
<https://groups.google.com/d/msgid/django-developers/b64d44a3-c7dd-4f9a-bf4f-1b8e9818fb64n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/25495738-17c0-11e8-22ed-6c17dd3862fd%40posteo.de.
