Home/ Questions/Q 1002787
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T07:52:43+00:00

I am working on a login section for a new project, which definitely requires

  • 0

I am working on a login section for a new project, which definitely requires user authentication.

The easiest way of doing that I assume would be using the http basic authentication. I implemented it fine on the Apache server, ssl was also intorudced to provide better security.

However, one thing concerns me, that it seems the basic authentication wouldn’t stop no matter how many times a user failed to provide a valid username/password crentential. It would just keep asking…

I reckon, since each time the web server receives the credential, it needs to go through the password file to look up whether a match exists or not, it takes a certain amount of server resources. My question is, would this be a security risk of having DoS attack by malicious users?

If so, how can I stop this? By adding some configuration/feature onto the Apache? Or just swap to some other authentication method? Digest Authencation?

Many thanks to the advices in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Step 1: Read this: http://en.wikipedia.org/wiki/Denial-of-service_attack#Prevention_and_response

    Step 2: Implement this. Create a set of counters indexed by IP address. Each failure from an IP address increases the counter. The counter is the sleep time — in seconds. 10 failed attempts means 10 seconds for the 401 response.

    • 0