Brute-force prevention for Authenticator?

Honza Kuchař

Hi guys!

Don't you thing that there sould be some support from framework for brute-force password guessing? E.g.: Block user account, etc.? Some callback should be called when that situation occurs? Surely I'm talking more about sandbox than about framework, because there is no default implementation of user authentication in framework.

What do you thing about that? Or should it be just in hands of programmer? I think every application that has user accounts must deal with this.

David Grudl

DDoS attack should be somehow solved on server layer, not application.

Honza Kuchař

Hmm, you are right. There should be some DDoS IP list managed by reverse proxy behind app server. Got it. Thanks!