Hello, Doesn't most dictionary style attacks create a new request each time therefore creating a new ASO? Kind of like closing your browser and reopening it each time?
If not this is a much better idea than mine of delaying the IP. --James -----Original Message----- From: Thiago H. de Paula Figueiredo [mailto:thiag...@gmail.com] Sent: February-11-09 8:14 AM To: Tapestry users Subject: Re: IoC question - introducing a time delay in an ASO On Wed, Feb 11, 2009 at 9:49 AM, Peter Stavrinides <p.stavrini...@albourne.com> wrote: > I use an ASO as a token when signing users in, I use this small method to introduce a time delay (if there are multiple failed attempts, I increase the delay): Your code doesn't delay the ASO, it delays the request processing. ;) It prevents dictionary attacks against passwords, something everyone should do. > I haven't tested it much, but it seems to work great, I was just a bit worried if it would be thread safe or if I was doing something stupid. ApplicationStateManager (the Tapestry service that handles ASOs) is already thread-safe (it uses ConcurrentHashMap), so I guess you don't need to worry. ;) -- Thiago --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
