On Tue, 19 Jun 2001, Suresh Addagalla wrote:
| Hi,
|
| I have a servlet application. The user authentication is done at the
| application level by storing user id and password in DB. I need to allow
| only a maximum of, say, 3 unsuccessful login attempts, after which the user
| should be suspended a fixed number of hours. Any ideas as to how this can be
| implemented? One way I can think of is to store the info (whether he can
| login and if he can not, till when) in DB and use it.
You are a bit open to DoS attacks, though. A badguy could just try 4
times on a whole bunch of your users.
Also you're open for "checking whether this is a username at these folks'
site" attach, which is the reason why most sites have turned off "expn"
and "vrfy" on their mailservers.
A badguy could of course then just try to login 4 times with a password,
if it blocks, then there is a user with that username. If you want to
protect against such stuff, then you would have to log each and every
username tried, but then you're open for another DoS: the badguy could try
18M usernames, flooding your "these names have been tried x times today"
cache.
But the DB approach is probably the way to go.
;)
--
Mvh,
Endre
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
