New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

device cookie lockout list storage advice? #885

Open

unusualevent opened this issue Feb 18, 2024 · 1 comment

unusualevent commented Feb 18, 2024

On the device cookies idea: https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies

How would you store the lockout list entries?

The individual entries expire, no?

Plus you might want a quick reference to "device cookie" -> banned(bool), or "IP" -> limited(bool), or "username" -> limited(bool)

Is it meant to be stored as an in-memory KV? or stored in Redis for clustering?

What would an ideal table layout be?

Author

unusualevent commented Aug 31, 2024

or really, it would be nice for there to be a code example. Which routes should have which methods, for example?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment