Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I think that the detecting method is quite correct. If a user tries to log in 10 times a minute this is something wrong here.</p> <p>But you need to check if:</p> <ul> <li>the user is impatient so clicks ten times just to "make the loading faster". It's ok if you disable login button with JavaScript but the user can have JS disabled.</li> <li>the user clicks "refresh" on the perform-login page, so that the browser resends the post data. This is possible even if redirecting him, because he's got low connection speed. So this could be treated by you as an attack.</li> <li>the user has auto-completed form with wrong password stored. He clicks, so there is error, so he does it again, and again, and again.</li> </ul> <p>In my opinion this is no counter-measure if he's trying to make a DoS attack, because it doesn't matter what query he makes, because he just wants to halt your server. And, moreover, he will try to do this from many computers with different IPs so you can't easily block them.</p> <p>I think blocking an IP is no protection and makes the user sure that you have something to hide. You are able to block him this way, so he'll start another way, the one you had not even thought of. I think -- as the other comments say -- you should temporarily block the user (you can log the IP, why not?), but showing him something like "Internal server/database error, please wait".</p> <p>All the major sites of largest worldwide companies do not block anybody.</p> <p>And finally answering to your question: yes, this method will make your system more secure in short term, but user should never know he's been blocked.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload