django icon indicating copy to clipboard operation
django copied to clipboard

Published 20 hours ago verified publisher icon django

WIP Fixed #21289 -- Added rate limiting to AuthenticationForm

Open claudep opened this issue 3 years ago • 2 comments

TODO: add docs and tests

claudep avatar Jul 27 '20 10:07 claudep

How about this proposal?

Someone opens the login page. In addition to the visible fields username and password and the hidden field csrftoken we add another hidden field. This field contains the earliest (server-)timestamp a user might login, and lies in the near future, for instance now() + timedelta(seconds=5). That value is cryptographically signed.

In addition to this, we disable the submit button and add a small Javascript function which sets an interval corresponding to the mandatory login delay. After that interval expired, the submit button is enabled again.

A malicious client who bypasses the disabled button and attempts to submit the login for, will receive a HTTP response with an error code > 400.

What are the advantages?

  • Django doesn't have to store any state of users and/or IP addresses attempting to log in.
  • Django doesn't have to delay itself to throttle requests. This btw. is a DoS attack vector by blocking server threads.
  • We transfer responsibility for delaying login requests to the client – who can't bypass them.

jrief avatar Apr 05 '22 14:04 jrief

A malicious client who bypasses the disabled button and attempts to submit the login for, will receive a HTTP response with an error code > 400.

What prevents the attacker from taking a million signed tokens for +5s and using them then?

bluetech avatar Apr 05 '22 14:04 bluetech

Closing this, as I'm not sure I'll be able to bring something globally acceptable for all.

claudep avatar Dec 03 '22 15:12 claudep