I have a .jsp login page for my application and want to create n-second delay if the entered username/password is incorrect in order to make bruteforcing/hammering more difficult. How can this be done ?
And generally speaking about web application security; is it the right approarch to handle user authentications via sessions or is there any security issues there ? Meaning that, when user logs in, a session is created and this session is checked in every .jsp page. And if it's not valid, user is forwarded back to login-page.
Creating a delay in the request/response cycle is a poor idea. Rather, handle this on the server end by keeping track of failed logins and ignoring repeated requests for the same login name.
Using sessions is a good way to keep track of authenticated logins. But checking on each JSP page is not. I'd either check it in the servlet controller for the page (you are using a Model 2 architecture, right?) or better yet, institute a servlet filter that does this checking for you.