[Catalyst] Rate limiting password attacks

Carl Johnstone catalyst at fadetoblack.me.uk
Mon Aug 20 18:19:46 GMT 2007

> What's to stop the bot from grabbing the token from the home page and
> using it in its attack?  The token has to be something the
> bot can't readily read, e.g., captcha.

Bill said:

"I have the ability to turn on form tokens on my forms, so to be able
to post to a form you have to first fetch the single-use token from
the form.  That has been a big help with forms that send mail, but
also aids in preventing reposting of forms -- in addition to redirect
after post."

So obviously they work for him. Anything that has an effect without causing 
accessibility problems for users has to be a good thing.

In any case, I was just suggesting a way he could still make his existing 
token system work with a "static" page to save server resources.


More information about the Catalyst mailing list