convissor
commented
10 years ago Revision 7df2539 deals with this situation.
Closed inarius closed 10 years ago
convissor
commented
10 years ago Revision 7df2539 deals with this situation.
You are calling sleep(). I enabled this on my site (which I already knew was being hit by a bruteforce attack) and my site is unusable! There must be a better way that you can handle slowing/aborting/etc login attempts than stopping the whole thread. In your FAQ you says you are mitigating DOS by not hitting the db, but you are causing DOS!
I will be switching to Limit Login Attempts for now.
FYI- You might want to check out Hashcash. You would introduce a JavaScript dependency but that is a no-brainer these days. It would allow you to slow down requests as you desire but only impact the client-side. It is a great solution that I have used in scenarios such as this.