[Catalyst] Rate limiting password attacks

Bill Moseley moseley at hank.org
Fri Aug 17 19:09:14 GMT 2007

On Fri, Aug 17, 2007 at 11:49:42AM -0400, Perrin Harkins wrote:
> On 8/17/07, Carl Johnstone <catalyst at fadetoblack.me.uk> wrote:
> > You'll almost certainly have to log it per-IP address rather than an a
> > cookie or session or anything like that. Any real password-cracking bot is
> > unlikely to honour your cookies or session identifiers.
> Last time I needed to do this we had a fallback to IP if no valid
> cookie was found so that it couldn't be evaded by simply refusing all
> cookies.  There are workarounds for this workaround though, so it is
> an ongoing battle.  AOL proxies were the main reason for doing this.

I missed something along the way in this thread.  Cookies?  Is that to
block a specific client?

I'm just thinking of blocking specific logins when too many failed
logins are attempted.  Even in cases where the login is not a valid
login in the application.  Could be implemented somewhat transparently
by overriding login().

By the way, any examples with the "new" C::P::Cache to pass expires on a
cache set?  Also look forward to the appearance of
Catalyst::Plugin::Cache::ControllerNamespacing.  Or something to
partition the cache.  I want the sessions and failed login cache to be
separate.  Is August and not seeing nothingmuch around related?

What's the status of the Cache plugin(s) wrt. backends?

I want to be able to swap between FastMmap and Memcached via a config

Bill Moseley
moseley at hank.org

More information about the Catalyst mailing list