Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

any ideas for implementing the lockout

 
ravi koli
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
does anyone have any ideas for implementing the lockout after user attempts a number of times to guess user logn/password. i am getting a hard time deciding to put it in database v.s. Application context v.s. some server cache which is available in webspere.



Any Ideas?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65115
89
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"techie junction", please check your private messages for an important administrative matter.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65115
89
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Without any requirements, how can we advise?

Does the lockout need to survive across server restarts, for example?
 
ravi koli
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes the lockouts need to survive across the server restarts.
 
ravi koli
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34837
369
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ravi koli wrote:yes the lockouts need to survive across the server restarts.

Then you have to use the database since you want it to persist.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34837
369
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ravi koli wrote:does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?

It depends on your business needs and what kind of site. For a bank, you'd want them to call. For a less important website, you might go by time. Another idea is a stepped mechanism. 3 wrong answers = 1 hour wait. 3 more wrong = 2 hour wait, 3 more wrong = 4 hour wait, etc.
 
ravi koli
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne Boyarsky wrote:
ravi koli wrote:does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?

It depends on your business needs and what kind of site. For a bank, you'd want them to call. For a less important website, you might go by time. Another idea is a stepped mechanism. 3 wrong answers = 1 hour wait. 3 more wrong = 2 hour wait, 3 more wrong = 4 hour wait, etc.


thanks Jeanne!!!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic