phpass HAVE BEEN CRACKED! What is the solution? |
[eluser]bretticus[/eluser]
An attacker can easily not send cookies back, so cookies are probably useless in this scenario. I would also assume that an attacker could spoof ip addresses, yet, how would he know if successful if the response never reaches him? So, you might store attempts in the database by ip. However, if the attacker has a bot net, that is impossible to defend. However, if the attacker has that capability, he'll just shut you down anyhow. If only http were a stateful protocol. If you do go for storing ips, to avoid the database lookup each time, use apc instead. Once that ip gets in your cache, just do a nice little die() or exit() on a match (just make sure it's not a proxy ip for aol or something!) The beauty with caching is that you can set a TTL and the cache will expire all by itself. Keep in mind that there are ways of detecting bots too. Although CAPTCHA on login could be very annoying. Perhaps, we don't have to be quite so locked down. |
Welcome Guest, Not a member yet? Register Sign In |