4

Is there a commonly accepted pattern (or class library, or etc.) for throttling certain form submissions for PHP MVC applications? I'm specifically thinking of the scenario where someone is running a dictionary attack against one of your login forms, and you want to block them after X requests in Y seconds, or if a certain pattern of requests is detected.

Specific questions:

Do any frameworks come with this functionality built in? If not, what's a common way of implementing this in a web based, PHP MVC architecture?

Is this something that should be handled at the application layer, or should the web server itself be dealing with this kind of malfeasance?

I can think of a number of ways to implement this, but it seems like the kind of things all applications should have, and therefore a general solution should already exist.

Alana Storm
  • 164,128
  • 91
  • 395
  • 599

1 Answers1

1

I don't know about formal patterns, but break-in prevention has several standard techniques:

  • In response to an unsuccessful login attempt, delay several seconds before any response. This puts a lid on the rate of break ins.
  • Don't punish a local account—punish any host making a series of break in attempts. Stop offering a login prompt after 3 or 4 sequential failures no matter which account is targeted.
  • Maybe invoke captcha under some circumstances, like in a financial system.

I don't know of any built-in application solutions, but certainly the building blocks are all there, easily assembled, and highly debatable if it is appropriate to invoke them.

wallyk
  • 56,922
  • 16
  • 83
  • 148