httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: PR #209 and delays in authentication retry
Date Tue, 01 Apr 1997 11:21:35 GMT

> > 
> >     PR#209 complains that, since he uses his system passwd file as his
> >     authentication source, Web-based attacks can be mounted on his
> >     accounts with no governor.  He wants us to impose a 5-second delay
> >     before responding with an authentication failure.
> > 
> >     I'd like to close this with a "not a chance" reply, but I want to
> >     make sure no-one else thinks this is a good idea, or worth
> >     considering, first.  Penalising people who mis-spell their
> >     passwords, or hit the CAPS-LOCK key, just because this chap uses his
> >     system passwd file to limit access surely doesn't sound like The
> >     Right Thing(tm) to me..
> > 

Excuse me; building in some expensive timeout across requests, cause the
guy is an idiot. You've got to be joking. -1 from me ! HTTP is a stateless
request protocol. tough.

Dw.


Mime
View raw message