[Catalyst] Rate limiting password attacks

Carl Johnstone catalyst at fadetoblack.me.uk
Sat Aug 18 18:11:50 GMT 2007


Bill Moseley wrote:
> Unfortunately, often want to have a login form on the home page and
> that page is typically static -- so can't use my token in that
> situation.
>
>   

How about using a variation of the token system. You have a token that's 
valid for any request that you change fairly frequently - say every 5 
minutes. Then you dynamically insert that into the home page.

Then to give you the effect of a static home page, use apache's mod_cache.

Finally in your login form, you accept any from the last X tokens where 
X > 2 (you could've cached the page just before the token expires) up to 
whatever life you want to allow.

Carl




More information about the Catalyst mailing list