[Catalyst] Rate limiting password attacks
Carl Johnstone
catalyst at fadetoblack.me.uk
Mon Aug 20 18:19:46 GMT 2007
> What's to stop the bot from grabbing the token from the home page and
> using it in its attack? The token has to be something the
> bot can't readily read, e.g., captcha.
Bill said:
"I have the ability to turn on form tokens on my forms, so to be able
to post to a form you have to first fetch the single-use token from
the form. That has been a big help with forms that send mail, but
also aids in preventing reposting of forms -- in addition to redirect
after post."
So obviously they work for him. Anything that has an effect without causing
accessibility problems for users has to be a good thing.
In any case, I was just suggesting a way he could still make his existing
token system work with a "static" page to save server resources.
Carl
More information about the Catalyst
mailing list