any other earlier versions than 1.8 available?

Discussion related to the Open ID Provider Server written published by Packetizer.
Post Reply
dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

any other earlier versions than 1.8 available?

Post by dimkar » Thu Jul 05, 2012 6:53 am

Hi paulej

Congratulations for the implementation of the openid server, the only one that really works!!

I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.

Another interesting feature would be to allow a user to try n (say 3) times on logon process.


thanks in advance,
Dimitrios

.my previous post was held for approval or gone?

User avatar
paulej
Posts: 515
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: any other earlier versions than 1.8 available?

Post by paulej » Thu Jul 05, 2012 3:50 pm

dimkar wrote:Hi paulej

Congratulations for the implementation of the openid server, the only one that really works!!
Thanks! Glad you like it. :-)

dimkar wrote: I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.
I have not personally done any work on the server, but a new open source project was forked from the code I originally wrote:
http://sourceforge.net/projects/openidserver/
dimkar wrote: Another interesting feature would be to allow a user to try n (say 3) times on logon process.
I think it allows the user to try repeatedly. You want to limit the number of tries? The cancel button allows the user to escape anytime.
dimkar wrote: .my previous post was held for approval or gone?
It is deleted now :-) A few of us approve new postings from new people to keep spam down on the site.

dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

Re: any other earlier versions than 1.8 available?

Post by dimkar » Mon Jul 09, 2012 10:08 am

Hi paulej
thanks for the reply

Actually I do mean the system itself to allow the user to try n times on the logon process and not repeatedly to avoid fake login bots or dos attacks.

thanks
Dimitrios

User avatar
paulej
Posts: 515
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: any other earlier versions than 1.8 available?

Post by paulej » Tue Jul 10, 2012 4:43 am

That might be useful, but the challenge is coming up with a mechanism that works.

For example, we could not simply use cookies to keep a count, since hacker would not return that cookie.

We could try to keep a count by IP address, but distributed bot nets would be able to use a bunch of addresses. Also, we would not want to lock out any address for an inordinate amount of time, since a person might make a mistake and enter the wrong password n times. (I probably would.)

We could put in some artificial delay for failed logins, but attackers can detect this and immediately send another request.

I can see ways to try to thwart attackers, but I can find ways attackers can get around it. So, I'm not sure if a good solution exists. I do know I don't have time to try to prevent it. :-)

People try to get into my machines using SSH attacks all the time. I cannot prevent them, but I do monitor the activity and I block IP addresses if somebody tries more than a certain number of times and fails. If I saw my OpenID server attacked, I would do the same thing. It's not clear where the abuse prevention code should reside, but I'd personally run it outside, because I will block subsequent requests before they even hit the web server.

dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

Re: any other earlier versions than 1.8 available?

Post by dimkar » Tue Jul 10, 2012 5:44 am

You are probably right.... maybe outside the DMZ...on the firewall place.

Anyways thanks for the good product.

Post Reply

Return to “OpenID Provider Server”