Re: advanced Apache authorization: updates triggered by

Holger Marzen wrote:
>
> Hi boys (and girls)?
>
> Authorization to web contents can be eaysily done with some Apache
> modules like mod_auth_pgsql (I wrote a little summary some time ago on
> http://bluebell.marzen.de/mod_auth_pgsql/).
>
> But what if we need some kind of protection agains brute force attacks?
> The modules are usually designed to do only selects. Is it possible to
> write some kind of magic that updates the same or another table at the
> same time?
>
> For every select there should automagically the following logic be
> triggered:
>
> - If userid/password is correct then set a counter for this userid to
> zero.
>
> - If userid/password is not correct then increment the counter for this
> userid.
>
> That should be enough because the password check could include something
> like "and counter <= 5".
>
> Any ideas?

Don't do the SELECT directly from the module, but call a stored
procedure instead that does the entire check and returns a
boolean. If this thing is called with enough information (not
only user and pass), it can do all kinds of things, like
restricting certain users to certain times, coming from specific
IP's, whatnot.

And a site administrator could relatively easy customize that
thing. All he needs is a bit knowledge about PL/pgSQL - and who
hasn't?

Jan

--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being
right. #
# Let's break this rule - forgive
me. #
#==================================================
JanWieck(at)Yahoo(dot)com #