Page 1 of 1
any other earlier versions than 1.8 available?
Posted: Thu Jul 05, 2012 6:53 am
by dimkar
Hi paulej
Congratulations for the implementation of the openid server, the only one that really works!!
I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.
Another interesting feature would be to allow a user to try n (say 3) times on logon process.
thanks in advance,
Dimitrios
.my previous post was held for approval or gone?
Re: any other earlier versions than 1.8 available?
Posted: Thu Jul 05, 2012 3:50 pm
by paulej
dimkar wrote:Hi paulej
Congratulations for the implementation of the openid server, the only one that really works!!
Thanks! Glad you like it.
dimkar wrote:
I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.
I have not personally done any work on the server, but a new open source project was forked from the code I originally wrote:
http://sourceforge.net/projects/openidserver/
dimkar wrote:
Another interesting feature would be to allow a user to try n (say 3) times on logon process.
I think it allows the user to try repeatedly. You want to limit the number of tries? The cancel button allows the user to escape anytime.
dimkar wrote:
.my previous post was held for approval or gone?
It is deleted now
A few of us approve new postings from new people to keep spam down on the site.
Re: any other earlier versions than 1.8 available?
Posted: Mon Jul 09, 2012 10:08 am
by dimkar
Hi paulej
thanks for the reply
Actually I do mean the system itself to allow the user to try n times on the logon process and not repeatedly to avoid fake login bots or dos attacks.
thanks
Dimitrios
Re: any other earlier versions than 1.8 available?
Posted: Tue Jul 10, 2012 4:43 am
by paulej
That might be useful, but the challenge is coming up with a mechanism that works.
For example, we could not simply use cookies to keep a count, since hacker would not return that cookie.
We could try to keep a count by IP address, but distributed bot nets would be able to use a bunch of addresses. Also, we would not want to lock out any address for an inordinate amount of time, since a person might make a mistake and enter the wrong password n times. (I probably would.)
We could put in some artificial delay for failed logins, but attackers can detect this and immediately send another request.
I can see ways to try to thwart attackers, but I can find ways attackers can get around it. So, I'm not sure if a good solution exists. I do know I don't have time to try to prevent it.
People try to get into my machines using SSH attacks all the time. I cannot prevent them, but I do monitor the activity and I block IP addresses if somebody tries more than a certain number of times and fails. If I saw my OpenID server attacked, I would do the same thing. It's not clear where the abuse prevention code should reside, but I'd personally run it outside, because I will block subsequent requests before they even hit the web server.
Re: any other earlier versions than 1.8 available?
Posted: Tue Jul 10, 2012 5:44 am
by dimkar
You are probably right.... maybe outside the DMZ...on the firewall place.
Anyways thanks for the good product.