any other earlier versions than 1.8 available?

Discussion related to the Open ID Provider Server written published by Packetizer.
Post Reply
dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

any other earlier versions than 1.8 available?

Post by dimkar » Thu Jul 05, 2012 6:53 am

Hi paulej

Congratulations for the implementation of the openid server, the only one that really works!!

I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.

Another interesting feature would be to allow a user to try n (say 3) times on logon process.


thanks in advance,
Dimitrios

.my previous post was held for approval or gone?

User avatar
paulej
Posts: 487
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: any other earlier versions than 1.8 available?

Post by paulej » Thu Jul 05, 2012 3:50 pm

dimkar wrote:Hi paulej

Congratulations for the implementation of the openid server, the only one that really works!!
Thanks! Glad you like it. :-)

dimkar wrote: I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.
I have not personally done any work on the server, but a new open source project was forked from the code I originally wrote:
http://sourceforge.net/projects/openidserver/
dimkar wrote: Another interesting feature would be to allow a user to try n (say 3) times on logon process.
I think it allows the user to try repeatedly. You want to limit the number of tries? The cancel button allows the user to escape anytime.
dimkar wrote: .my previous post was held for approval or gone?
It is deleted now :-) A few of us approve new postings from new people to keep spam down on the site.

dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

Re: any other earlier versions than 1.8 available?

Post by dimkar » Mon Jul 09, 2012 10:08 am

Hi paulej
thanks for the reply

Actually I do mean the system itself to allow the user to try n times on the logon process and not repeatedly to avoid fake login bots or dos attacks.

thanks
Dimitrios

User avatar
paulej
Posts: 487
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: any other earlier versions than 1.8 available?

Post by paulej » Tue Jul 10, 2012 4:43 am

That might be useful, but the challenge is coming up with a mechanism that works.

For example, we could not simply use cookies to keep a count, since hacker would not return that cookie.

We could try to keep a count by IP address, but distributed bot nets would be able to use a bunch of addresses. Also, we would not want to lock out any address for an inordinate amount of time, since a person might make a mistake and enter the wrong password n times. (I probably would.)

We could put in some artificial delay for failed logins, but attackers can detect this and immediately send another request.

I can see ways to try to thwart attackers, but I can find ways attackers can get around it. So, I'm not sure if a good solution exists. I do know I don't have time to try to prevent it. :-)

People try to get into my machines using SSH attacks all the time. I cannot prevent them, but I do monitor the activity and I block IP addresses if somebody tries more than a certain number of times and fails. If I saw my OpenID server attacked, I would do the same thing. It's not clear where the abuse prevention code should reside, but I'd personally run it outside, because I will block subsequent requests before they even hit the web server.

dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

Re: any other earlier versions than 1.8 available?

Post by dimkar » Tue Jul 10, 2012 5:44 am

You are probably right.... maybe outside the DMZ...on the firewall place.

Anyways thanks for the good product.

Post Reply

Return to “OpenID Provider Server”

Who is online

Users browsing this forum: No registered users and 1 guest