Btw, remember to flush the map for that username when they are able to login successfully.
-----Original Message----- From: Hookom, Jacob [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:46 PM To: Struts Users Mailing List Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -----Original Message----- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field "last_failure" to the user table... and after 3 unsuccessful attempts I will record the time in the "last_failure" field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -----Original Message----- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]