User authentication using Sybase, and implementing a 3 try lockout

User authentication using Sybase, and implementing a 3 try lockout

Post by Larry Bus » Sat, 04 Oct 1997 04:00:00



Hi folks

Two questions.

1.  Is it possible to use the Apache module, mod_auth_dbi, to authenticate
    users entered in s Sybase database? If so how would I go about doing
this?

2.  Is there any way to implement a 3 attempt limit upon entering a
username/password?

Thanks in advance for your help!
--

Larry Buss                      |


http://www.magothy.com/           |

 
 
 

User authentication using Sybase, and implementing a 3 try lockout

Post by Kevin P. Ne » Sat, 04 Oct 1997 04:00:00



>Hi folks

Hey.

Quote:>2.  Is there any way to implement a 3 attempt limit upon entering a
>username/password?

Ewwww. Ugly.

You would have to keep track of all users who had hit the server. This
is a rather difficult task when using a server that has multiple
processes like Apache.

Even if you overcame that hurdle: MSIE 3 has a bad habit of sending
truncated authorization lines. Also, all browsers try to guess which
parts of a site require authorization.

MSIE 3 is *horrible* at guessing. Mosaic and Netscape do very well,
but MSIE is *awlful*.

At my site (on a corporate "Intranet") we require authorization for
_all_ hits on the web server. My ratio of 200/304 hits to 401 hits for
MSIE 3 is roughly 3:1. For Netscape and Mosaic it's roughly 10:1. We
get about 150,000 hits a day (this month -- it's growing rapidly).

You would have to watch out for hits that came without credentials,
and also truncated authorization lines from MSIE 3.

What a pain.

--
XCOMM Kevin P. Neal, Junior, Comp. Sci.     -   House of Retrocomputing


XCOMM "Good grief, I've just noticed I've typed in a rant. Sorry chaps!"

 
 
 

User authentication using Sybase, and implementing a 3 try lockout

Post by Ron Klatchk » Tue, 07 Oct 1997 04:00:00




> >2.  Is there any way to implement a 3 attempt limit upon entering a
> >username/password?

> You would have to keep track of all users who had hit the server. This
> is a rather difficult task when using a server that has multiple
> processes like Apache.

That would depend on how you define the problem.  If you can deal with
"three consecutive tries with an incorrect passwords without an
intervening correct password" as the lockout condition, this should not
be too difficult.  It would leave open a hole where the actual user is
using her account while someone else it trying to crack it.  Since each
valid access resets the consecutive incorrect password account, the
cracker would get more chances to try passwords before being locked out.

Quote:> MSIE 3 is *horrible* at guessing. Mosaic and Netscape do very well,
> but MSIE is *awlful*.

Why should that matter.  It seems that the basic solution would
differentiate between requests without authorization and those with
incorrect authorization.

As for truncated authorzation lines that you mentioned, I would think
they should be treated like requests without authorization.

moo
----------------------------------------------------------------------
              Ron Klatchko - Senior Software Engineer
         UCSF Library and Center for Knowledge Management