views:

47

answers:

2

Is there a commonly accepted pattern (or class library, or etc.) for throttling certain form submissions for PHP MVC applications? I'm specifically thinking of the scenario where someone is running a dictionary attack against one of your login forms, and you want to block them after X requests in Y seconds, or if a certain pattern of requests is detected.

Specific questions:

Do any frameworks come with this functionality built in? If not, what's a common way of implementing this in a web based, PHP MVC architecture?

Is this something that should be handled at the application layer, or should the web server itself be dealing with this kind of malfeasance?

I can think of a number of ways to implement this, but it seems like the kind of things all applications should have, and therefore a general solution should already exist.

+1  A: 

I don't know about formal patterns, but break-in prevention has several standard techniques:

  • In response to an unsuccessful login attempt, delay several seconds before any response. This puts a lid on the rate of break ins.
  • Don't punish a local account—punish any host making a series of break in attempts. Stop offering a login prompt after 3 or 4 sequential failures no matter which account is targeted.
  • Maybe invoke captcha under some circumstances, like in a financial system.

I don't know of any built-in application solutions, but certainly the building blocks are all there, easily assembled, and highly debatable if it is appropriate to invoke them.

wallyk
A: 

There is some more info on this [here][1]. You might also want to add a captcha to the form just to make it a bit for difficult.

[1]: http://stackoverflow.com/questions/2090910/how-can-i-throttle-user-login-attempts-in-php## Heading ##

KSS