any ideas for implementing the lockout

hi,
does anyone have any ideas for implementing the lockout after user attempts a number of times to guess user logn/password. i am getting a hard time deciding to put it in database v.s. Application context v.s. some server cache which is available in webspere.

Any Ideas?

"techie junction", please check your private messages for an important administrative matter.

Without any requirements, how can we advise?

Does the lockout need to survive across server restarts, for example?

yes the lockouts need to survive across the server restarts.

does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?

ravi koli wrote:yes the lockouts need to survive across the server restarts.

Then you have to use the database since you want it to persist.

ravi koli wrote:does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?

It depends on your business needs and what kind of site. For a bank, you'd want them to call. For a less important website, you might go by time. Another idea is a stepped mechanism. 3 wrong answers = 1 hour wait. 3 more wrong = 2 hour wait, 3 more wrong = 4 hour wait, etc.

Jeanne Boyarsky wrote:

ravi koli wrote:does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?

It depends on your business needs and what kind of site. For a bank, you'd want them to call. For a less important website, you might go by time. Another idea is a stepped mechanism. 3 wrong answers = 1 hour wait. 3 more wrong = 2 hour wait, 3 more wrong = 4 hour wait, etc.

thanks Jeanne!!!