wood burning stoves 2.0*
The moose likes Servlets and the fly likes any ideas for implementing the lockout Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "any ideas for implementing the lockout" Watch "any ideas for implementing the lockout" New topic
Author

any ideas for implementing the lockout

ravi koli
Greenhorn

Joined: Oct 22, 2009
Posts: 4
hi,
does anyone have any ideas for implementing the lockout after user attempts a number of times to guess user logn/password. i am getting a hard time deciding to put it in database v.s. Application context v.s. some server cache which is available in webspere.



Any Ideas?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61299
    
  66

"techie junction", please check your private messages for an important administrative matter.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61299
    
  66

Without any requirements, how can we advise?

Does the lockout need to survive across server restarts, for example?
ravi koli
Greenhorn

Joined: Oct 22, 2009
Posts: 4
yes the lockouts need to survive across the server restarts.
ravi koli
Greenhorn

Joined: Oct 22, 2009
Posts: 4
does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30580
    
154

ravi koli wrote:yes the lockouts need to survive across the server restarts.

Then you have to use the database since you want it to persist.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30580
    
154

ravi koli wrote:does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?

It depends on your business needs and what kind of site. For a bank, you'd want them to call. For a less important website, you might go by time. Another idea is a stepped mechanism. 3 wrong answers = 1 hour wait. 3 more wrong = 2 hour wait, 3 more wrong = 4 hour wait, etc.
ravi koli
Greenhorn

Joined: Oct 22, 2009
Posts: 4
Jeanne Boyarsky wrote:
ravi koli wrote:does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?

It depends on your business needs and what kind of site. For a bank, you'd want them to call. For a less important website, you might go by time. Another idea is a stepped mechanism. 3 wrong answers = 1 hour wait. 3 more wrong = 2 hour wait, 3 more wrong = 4 hour wait, etc.


thanks Jeanne!!!
 
GeeCON Prague 2014
 
subject: any ideas for implementing the lockout