struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hookom, Jacob" <Jacob.Hoo...@redline.mckhboc.com>
Subject RE: Login Security
Date Tue, 16 Dec 2003 21:47:38 GMT
Btw, remember to flush the map for that username when they are able to login
successfully.

-----Original Message-----
From: Hookom, Jacob [mailto:Jacob.Hookom@redline.mckhboc.com] 
Sent: Tuesday, December 16, 2003 3:46 PM
To: Struts Users Mailing List
Subject: RE: Login Security

Do a HashMap in the action:

Key is username
Value is Integer or Date

If ((value = map.get(key)) != null)
{
	if (value instanceof Date)
	{
		// compare timeout dates
	}
	else if (value instanceof Integer)
	{
		if (value == 3)
		{
			map.put(key, new Date(deadline));
		}
		else
		{
			map.put(key, new Integer(value + 1));
		}
	}
}



-----Original Message-----
From: Ciaran Hanley [mailto:ciaran.hanley@sentenial.ie] 
Sent: Tuesday, December 16, 2003 3:43 PM
To: 'Struts Users Mailing List'
Subject: RE: Login Security


I am storing the username and password in a table in a mySql database. 

I think I will just add a field "last_failure" to the user table... and
after 3 unsuccessful attempts I will record the time in the
"last_failure" field and work out if the timeout has elapsed by querying
that field and comparing it to the current time. 

That way, I wont be using cookies, and will avoid blocking IP address.
Does that sound ok?

Ciaran

-----Original Message-----
From: John.Pitchko@shell.ca [mailto:John.Pitchko@shell.ca] 
Sent: 16 December 2003 20:46
To: struts-user@jakarta.apache.org
Cc: Jonathan.Fullam@RIAG.com
Subject: RE: Login Security

Avoid the cookie solution, it's too easy for the user to bypass your
security measures and as mentioned below, this solution won't work if
the browser has disabled cookies.

Don't block IP addresses because they can be easily spoofed and
redirected. Dynamic IPs pose a problem as you could be blocking out a
legitimate user.

How are you storing your list of usernames/passwords? Would it be
possible to add an extra bit of data next to each username/password
indicating when the login is valid?

-----Original Message-----
From: struts-user-digest-help@jakarta.apache.org
[mailto:struts-user-digest-help@jakarta.apache.org]
Sent: Tuesday, December 16, 2003 9:09 AM
To: struts-user@jakarta.apache.org
Cc: Jonathan.Fullam@RIAG.com
Subject: RE: Login Security


You could put a cookie on the user's machine that expires after a
certain
period of time.  Of course this only works when cookies are turned one
and
an experienced user could always manually remove their cookie.

Another solution maybe is to get the user's IP address from the request
Header and add it to a list of invalid IP address with their times of
entry.
Then upon a new request, you will have to check the list and determine
how
long ago the IP address was added.

I'm just brainstorming here so anybody can criticize these suggestions
freely.
-Jonathan

-----Original Message-----
From: Ciaran Hanley [mailto:ciaran.hanley@sentenial.ie]
Sent: Tuesday, December 16, 2003 10:55 AM
To: struts-user@jakarta.apache.org
Subject: Login Security


I'm writing a web application using JSP and Struts. I want to add a
security feature to my login page where if a user has three unsuccessful
logins they will be unable to log in for a certain period of time
afterwards. I can count the number of unsuccessful logins ok but how I'm
not sure how to give a timeout after 3 failures. Any ideas how I could
implement this?
 
Thanks



---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message