django
django copied to clipboard
WIP Fixed #21289 -- Added rate limiting to AuthenticationForm
TODO: add docs and tests
How about this proposal?
Someone opens the login page. In addition to the visible fields username
and password
and the hidden field csrftoken
we add another hidden field. This field contains the earliest (server-)timestamp a user might login, and lies in the near future, for instance now() + timedelta(seconds=5)
. That value is cryptographically signed.
In addition to this, we disable the submit button and add a small Javascript function which sets an interval corresponding to the mandatory login delay. After that interval expired, the submit button is enabled again.
A malicious client who bypasses the disabled button and attempts to submit the login for, will receive a HTTP response with an error code > 400.
What are the advantages?
- Django doesn't have to store any state of users and/or IP addresses attempting to log in.
- Django doesn't have to delay itself to throttle requests. This btw. is a DoS attack vector by blocking server threads.
- We transfer responsibility for delaying login requests to the client – who can't bypass them.
A malicious client who bypasses the disabled button and attempts to submit the login for, will receive a HTTP response with an error code > 400.
What prevents the attacker from taking a million signed tokens for +5s and using them then?
Closing this, as I'm not sure I'll be able to bring something globally acceptable for all.