[Catalyst] Rate limiting password attacks
Carl Johnstone
catalyst at fadetoblack.me.uk
Sat Aug 18 18:11:50 GMT 2007
Bill Moseley wrote:
> Unfortunately, often want to have a login form on the home page and
> that page is typically static -- so can't use my token in that
> situation.
>
>
How about using a variation of the token system. You have a token that's
valid for any request that you change fairly frequently - say every 5
minutes. Then you dynamically insert that into the home page.
Then to give you the effect of a static home page, use apache's mod_cache.
Finally in your login form, you accept any from the last X tokens where
X > 2 (you could've cached the page just before the token expires) up to
whatever life you want to allow.
Carl
More information about the Catalyst
mailing list