In addition to any other issues mentioned you need to consider that some browsers may time out if the Action goes to sleep, which is ugly.
I think you'd be better off following an earlier suggestion to simply lock out a given user ID after N failed login attempts, put a timestamp in the DB, and check against that. d. --- Adam Gordon <[EMAIL PROTECTED]> wrote: > How so? Please elaborate. > > Our web application sits entirely Tomcat land and > it's accessible only > via Apache, but Apache is only acting basically as > the redirector - it > knows nothing of what's going on, it just > rewrites/relays requests and > serves up responses. > > -adam > > Joe Germuska wrote: > > On 3/9/07, Adam Gordon <[EMAIL PROTECTED]> > wrote: > >> > >> > >> > >> Our login page performs a POST to authenticate > and I'd like to put in > > a > >> delay when a login failure occurs so that it > hinders/frustrates any > >> malicious users and any scripts they might be > running. I realize this > >> isn't a foolproof solution but since the user > isn't authenticated yet, > > I > >> don't have a ton of options. One other thing > we'll probably be doing > > is > >> session validation/invalidation. > > > > > > > > > > I would think that the kind of throttling you're > talking about is > > something > > you're better off doing with Apache than trying to > do in your > > application > > code. > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > ____________________________________________________________________________________ TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. http://tv.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
