[Catalyst] Rate limiting password attacks

Christian Storm storm at iparadigms.com
Mon Aug 20 19:16:46 GMT 2007

He is referring to reposting of forms that are arrived at via the  
back button, e.g.,
breaking the cycle submit form -> click back button -> submit form ->  

The use case is for single use forms not for security.  It wouldn't  
do anything to
prevent a bot from scraping the HTML for that token and using it to  
the form.

On Aug 20, 2007, at 10:19 AM, Carl Johnstone wrote:

>> What's to stop the bot from grabbing the token from the home page and
>> using it in its attack?  The token has to be something the
>> bot can't readily read, e.g., captcha.
> Bill said:
> "I have the ability to turn on form tokens on my forms, so to be able
> to post to a form you have to first fetch the single-use token from
> the form.  That has been a big help with forms that send mail, but
> also aids in preventing reposting of forms -- in addition to redirect
> after post."
> So obviously they work for him. Anything that has an effect without  
> causing accessibility problems for users has to be a good thing.
> In any case, I was just suggesting a way he could still make his  
> existing token system work with a "static" page to save server  
> resources.
> Carl
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/ 
> catalyst at lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/

More information about the Catalyst mailing list