struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Benedict" <pbened...@apache.org>
Subject Re: Thread.sleep(...) in Struts Action
Date Fri, 09 Mar 2007 19:06:58 GMT
Adam,

Your idea is good but the implementation is bad. The solution presumes a
malicious user is attempting to break passwords through a serialized
attempt: try, wait, try, wait, try wait, etc. But anyone who can guess at
your methodology will then just spawn N asynchronous requests, which will
then defeat your security measure all together. A better solution is to
disable the username, perhaps for a couple minutes, after N invalid
attempts. And on your login screen, display the timestamp of the last
successful login. This will give the true user some information to what is
going on.

Paul

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message