[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism



Clowser, Jeff wrote:
> - Consider this example - the place I run into this most often is our
> Internet proxies, which are password protected.  There are many apps a
> user uses that connects through the proxy (which in turn auths against
> ldap) to get some kind of content or update.  Some of these (broken)
> apps provide users an option to save the password, and when they do (not
> that I recommend this behavior, but I can't stop them), it tries
> repeatedly to get updates/content using the old password after a user
> changes their password.

I don't understand the problem: If the proxy is correctly implemented it
will only send exactly *one* authentication request to a user database
even if there are several parallel outstanding HTTP requests to be
served by the proxy. If your proxy does not serialize authentication
requests and then cache authentication state then fix your proxy.

Ciao, Michael.