[Catalyst] Rate limiting password attacks
Christian Storm
storm at iparadigms.com
Mon Aug 20 15:48:05 GMT 2007
What's to stop the bot from grabbing the token from the home page and
using it in its attack? The token has to be something the
bot can't readily read, e.g., captcha.
On Aug 18, 2007, at 10:11 AM, Carl Johnstone wrote:
> Bill Moseley wrote:
>> Unfortunately, often want to have a login form on the home page and
>> that page is typically static -- so can't use my token in that
>> situation.
>>
>>
>
> How about using a variation of the token system. You have a token
> that's valid for any request that you change fairly frequently -
> say every 5 minutes. Then you dynamically insert that into the home
> page.
>
> Then to give you the effect of a static home page, use apache's
> mod_cache.
>
> Finally in your login form, you accept any from the last X tokens
> where X > 2 (you could've cached the page just before the token
> expires) up to whatever life you want to allow.
>
> Carl
>
>
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/
> catalyst at lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/
More information about the Catalyst
mailing list