roam/daily/2020-07-17.org
2021-09-01 16:57:39 -04:00

2.3 KiB

2020-07-17

Tracking login attempts without CSRF tokens

2020-07-16 17 6
2020-07-16 18 38
2020-07-16 19 48
2020-07-16 20 31
2020-07-16 21 27
2020-07-16 22 31
2020-07-16 23 24
2020-07-17 00 26
2020-07-17 01 20
2020-07-17 02 26
2020-07-17 03 27
2020-07-17 04 21
2020-07-17 05 26
2020-07-17 06 34
2020-07-17 07 34
2020-07-17 08 34
2020-07-17 09 36
2020-07-17 10 49
2020-07-17 11 34
2020-07-17 12 53
2020-07-17 13 36

/correlr/roam/media/commit/d13b06a454be35a9e22ad80575a6765cec690898/daily/2020-07-17-login-attempts-without-csrf.png

Login attempts without CSRF tokens appear to be fairly stable, without much drop-off. Once we're comfortable with the frequency with which this occurs, we can apply this change to the Login Throttling code to mark login attempts without a token as invalid, rather than presenting the end-user with a CAPTCHA as we're doing now.

Add captcha to login attempts without customer cookie