Custom Mempership Provider for preventing DoS
Hours ago i had a chance to attend for one of my favorites speakers who always speak at Middle East Developer Conference, my list of great speaker include more world first class speaker.. which is a subject i will talk about more later.
The speaker for today was Patric Haynds the CTO of CriticalSites
which is a Boston based company foucesd on security at the most.
Any way at the session Patric present was about many tips and tricks for ASP.NET but most part that caught my attention is the problems with the base membership provider login policy. the problem is that if you have entered the password wrong in the password field for say three times you can adjust the base membership provider to block the user from further trials or you disable this and the user can try as much as he needs to figure out what he is messing. so this will cause a problem in the one hand you can't leave the login process open for trials as in the last some one have the time will be able eventually to discover it and gain access to your account and in the other hand if you smart enough to have the login process block the user for over three failed trials this can cause another problem.
If you pest of someone you easily can use his username and navigate through the website and enter his username and three wrong password to have him blocked, you can even write script to that every five minutes so this creates a way of denial of service.
So what is the solution, as Patric describes you have the choice to accept the fact or have the usernames secret. But you always can implement your own Custom Membership Provider that for instant if he receives more that three failed trails he can expand the question to include more than the username and the password like asking him what is his secret question or any question related to his account activity.
what i have liked is how the problem is simple yet the solution is simpler and efficient.
for full implementation for the custom membership provider that solve this problem it will be published at MSDN Magazine late this month.