7 May
2005
7 May
'05
7:24 p.m.
On 5/7/05, Tino Wildenhain <tino@wildenhain.de> wrote:
Well, in theory its possible if the client accepts cookie to just store the amount of wrong attempts via cookie (or id - which would be the same) and deny any password, be it even the correct one when it comes via basic auth.
Store the incorrect login count client-side in a cookie?! No way! :)
But I strongly believe this does not save from abuse because its just too easy to remove the cookie or just not accept it in the first place. So I'd say its not worth the work.
Yes, I think it would be a bad idea. mark