Hi all,
for a long time I am using mod_auth_pgsql for Apache 1.3. But I always
wished that I could limit the number of attempts, so no-one can try as
often as he wants to.
Unfortunately the author of mod_auth_pgsql didn't answer, so I had to do
it by myself. But I didn't want to make major changes in mod_auth_pgsql
because I had no experience in writing Apache modules. My approach was
as follows:
- Add a line in mod_auth_pgsql to write a row in the logging table even
if the password entered was wrong. The original module only logs
successful attempts.
- Write a function that increases a counter in the user table if the
password was wrong and sets the counter to 0 if the password was
correct.
- Set a trigger that executes that function whenever a row in the
logging table is inserted.
- Include the test for exceeded number of unsuccessful attempts in
.htaccess.
Oh, and I installed the crypto functions from contrib so I can store the
passwords in hashed form, and I added some enable/disable fields so a
user can temporary disabled without resetting his password or deleting
him.
Works fine. If anyone is interested, just email me for the scripts.
Holger
--
PGP/GPG Key-ID:
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1
