Posted by antony on 04/09/07 20:48

Il Mon, 09 Apr 2007 14:46:55 -0400, Michael Daly ha scritto:

> antony wrote:
>
>> but is so frequently that user have same ip?
>> just enough to have same internet provider?
>
> On the login page, create a hidden input field with a login count. When
> you send back the invalid login, update the hidden count. Once you hit
> the limit, write the page with a hidden "lockout" field.

but is possible to do this:
after five attempts lockout field;
but if one refresh all, at the second group of five attempts block to limit
the possibility of insert datas: max 1 attempt every ten minutes, also if
one refresh; is possible you know example?




> The smart user will get around this with a complete page refresh, but
> the dumb user will not.

who does the dos attack I think can to make also in automatic the page
refresh.
is necessary, at the second group of attempts, to make slow every others
attempt (and that aren't refresh dependent);




> Saving IPs will work if there is little time between logins - there
> won't be enough time for a new IP to show up. If you're looking at
> checking over more than one day, the IP is likely to change.
>
> Mike

so is sufficient to slow the datas insertion ?
the time of slow can also is proportional at the attempts.


for hidden "lockout" field you what system use (advise)?
css, javscript , other solution?

[Back to original message]