You definitely do NOT want to intentionally sleep a thread - that halts the request, and uses up your thread pool. You instead want the request to complete, but you don't want to allow them to continue trying. So, that being said, you could:
1 - add a value to their session like "private long blockedFromSignInUntil" and when they've exceeded your threshold, set that for ten minutes future. This isn't bulletproof since they could start a new session by using a new window / browser / blowing away cookies. 2 - if it's on a per-username (rather than a per-session) basis, add a similar value to the user - not allowed signin until.... This is probably better anyway, because if I'm "nefarious guy" and I'm trying to sign in to "mr nice guy" account, you lock "mr nice guy" account because you are in fact detecting an identity theft attempt. 3 - you could do a combo of the above so that I, "nefarious guy" when I get blocked from "mr nice guy" account, can't move on to "mr unsuspecting" account. Then, just have your sign in form be aware of that value in session or user and not allow a sign in to that account or from that session until the timeout is expired. But as a general rule of thumb, never use Thread.sleep in a web app - especially somewhere in the request cycle. It'll be shooting yourself in the foot. Hope this helps, -- Jeremy Thomerson http://www.wickettraining.com On Fri, Dec 5, 2008 at 9:46 AM, Anton Veretennikov < [EMAIL PROTECTED]> wrote: > Hello all Wicket users. > > One more question today. > I need to implement appearence of sleep if "user" (session, IP > address) tries incorrect login many times. > Thread.sleep() seems to stop all sessions at once. Any ideas? > > Thank you! > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
