Skip to content

device cookie lockout list storage advice? #885

New issue
New issue
Open
Open
device cookie lockout list storage advice?#885
@unusualevent

Description

@unusualevent
unusualevent
opened on Feb 18, 2024

On the device cookies idea: https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies

How would you store the lockout list entries?

The individual entries expire, no?

Plus you might want a quick reference to "device cookie" -> banned(bool), or "IP" -> limited(bool), or "username" -> limited(bool)

Is it meant to be stored as an in-memory KV? or stored in Redis for clustering?

What would an ideal table layout be?

Activity

unusualevent

unusualevent commented on Aug 31, 2024

@unusualevent
unusualevent
on Aug 31, 2024
Author

or really, it would be nice for there to be a code example. Which routes should have which methods, for example?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @unusualevent

        Issue actions
          device cookie lockout list storage advice? · Issue #885 · OWASP/www-community