30.11.07

PHP: sleep - Manual

PHP: sleep - Manual: "Regarding the use of sleep to discourage crackers, there is an alternative that could be used. Derived from the 'HTTP Digest Access Authentication' concept at http://www.faqs.org/rfcs/rfc2617.html under chapter '3 Digest Access Authentication Scheme'. For every time the login page is requested, have the server generate and remember a nonce and attach it to the login form. When the form comes back with that nonce, check if the nonce received matches the one in memory. If yes, continue the login process, otherwise reject the login attempt. Throw away the nonce after one use. Brute-force cracking won't be an option in this case, because the hacker/cracker must download the login page for every attempt to try a password. And this will also neatly sidestep a possible weakness via the use of 'sleep' to DoS attacks."

No comments: