Re: Wait Statement... ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Why silly??
it just makes you wait one second on the login page BEFORE the validation
process, not on other  pages.
I use it everywhere.

Ignatius
_________________________
----- Original Message -----
From: "Daevid Vincent" <daevid@xxxxxxxxxx>
To: <php-db@xxxxxxxxxxxxx>
Cc: "'..: GamCo :..'" <post@xxxxxxxxx>; "'John W. Holmes'"
<holmes072000@xxxxxxxxxxx>
Sent: Tuesday, July 20, 2004 9:47 PM
Subject: RE:  Wait Statement... ?


> Similarly, I could adjust my brute force attack to sleep() a
pre-determined
> amount of time too ;-)
>
> The whole 'sleep()' idea just seems silly. I agree with Jason. Just
validate
> and be done. A better way to stop attacks is to have a tally of failed
> logins if you really are that worried someone is going to brute-force you.
> Then after 3 fails, just don't let that IP connect or add other
intelligent
> handling. Maybe add them to a 'ban list' after x amount of failed tries.
You
> can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.
>
> > -----Original Message-----
> > From: John W. Holmes [mailto:holmes072000@xxxxxxxxxxx]
> > Sent: Tuesday, July 20, 2004 7:10 AM
> > To: ..: GamCo :..
> > Cc: php-db@xxxxxxxxxxxxx
> > Subject: Re:  Wait Statement... ?
> >
> > ..: GamCo :.. wrote:
> > > ok, i added the sleep() function in my page. what i'm
> > basically doing is :-
> > >
> > > i have a .php page where people log-in from. from there i
> > send the form to
> > > another .php page that actually checks the login and
> > registers a session
> > > with the username and password as session variables. then
> > on the page that
> > > actually does the validation, i have something that says :
> > validating
> > > login... sleep 1 funtion. then, i have another line that
> > says validation
> > > successfull... sleep 1 function and then i have another
> > line that says
> > > redirecting... with sleep 1 function and then header
> > redirects to the actual
> > > logged-in.php file. the redirect and validation works
> > perfectly as well as
> > > the sleep functions, but it now doesn't display the
> > validating login... blah
> > > blah blah stuff which is done in normal html code...
> >
> > You are very confused. Read the manual page on header(). You
> > can't have
> > any output before you try to redirect with a header().
> >
> > If you're trying to implement some sort of brute force protection by
> > using sleep(), you're using it in the wrong method, anyhow.
> > Your login
> > processing script should sleep for a second or two whether
> > the login is
> > correct or not and it should be the first thing that it does (i.e.
> > before any output or redirection). If you only sleep() on
> > failures and
> > redirect on good logins, brute force methods can pick up on that and
> > adjust their methods to get around the wait time.
> >
> > --
> > ---John Holmes...
> >
> > Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
> >
> > php|architect: The Magazine for PHP Professionals - www.phparch.com
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux