Scott A. Johnson wrote, on 5/20/2010 8:50 AM:
> Thanks for the info Kevin, Joshua, and Royce. All good info and
> ideas. Another thought though - does this type of security make a
> login any more vulnerable to brute-force attempts than a POST form
> type? Seems like it may be easier for some automated scripts to poll
> a list of set URLs if you will than having to load a page, fill out a
> form, and post it. I wonder if there is a login-count process
> associated with this login method that will lock out accounts if the
> wrong password is used too many times.
It's only more vulnerable to amateur script-kiddies. Under the hood,
automating POSTs is just easy as automating GETs.
The Right Way is to generate a unique token for each load of the page
containing the login form, storing it, aging them out after a short
period of time, and only accepting submissions that contain the token.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu May 20 08:57:29 2010
This archive was generated by hypermail 2.1.8 : Thu May 20 2010 - 08:57:29 AKDT