限制登录尝试 [英] Throttling login attempts

问题描述

(这主要是一个与语言无关的问题，尽管就我而言，我使用的是ASP.NET 3.5)

(This is in principal a language-agnostic question, though in my case I am using ASP.NET 3.5)

我正在使用标准的ASP.NET 登录控件，并希望实施以下失败的登录尝试限制逻辑.

I am using the standard ASP.NET login control and would like to implement the following failed login attempt throttling logic.

• 处理 OnLoginError 事件并在会话中维护失败登录计数尝试
• 当此计数达到 [一些可配置的值] 时，将阻止从原始IP地址或该用户(或该用户)的进一步登录尝试1小时

• Handle the OnLoginError event and maintain, in Session, a count of failed login attempts
• When this count gets to [some configurable value] block further login attempts from the originating IP address or for that user / those users for 1 hour

这听起来像是明智的做法吗?我是否错过了绕过此类检查的明显方法?

Does this sound like a sensible approach? Am I missing an obvious means by which such checks could be bypassed?

注意:ASP.NET会话使用cookie与用户的浏览器关联

Note: ASP.NET Session is associated with the user's browser using a cookie

这是一个只能在英国和印度使用的管理站点

This is for an administration site that is only going to be used from the UK and India

推荐答案

Jeff Atwood 提到了另一种方法:而不是在尝试多次后锁定帐户，请增加允许再次登录的时间:

Jeff Atwood mentioned another approach: Rather than locking an account after a number of attempts, increase the time until another login attempt is allowed:

1st failed login    no delay
2nd failed login    2 sec delay
3rd failed login    4 sec delay
4th failed login    8 sec delay
5th failed login    16 sec delay

这将减少因拒绝服务攻击而滥用此保护措施的风险.

That would reduce the risk that this protection measure can be abused for denial of service attacks.

请参见 http://www.codinghorror.com/blog/archives/001206. html

这篇关于限制登录尝试的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！