Re: password policy - alternate lockout mechanism
Clowser, Jeff wrote:
- Consider this example - the place I run into this most often is
our
Internet proxies, which are password protected. There are many apps a
user uses that connects through the proxy (which in turn auths against
ldap) to get some kind of content or update. Some of these (broken)
apps provide users an option to save the password, and when they do (not
that I recommend this behavior, but I can't stop them), it tries
repeatedly to get updates/content using the old password after a user
changes their password.
I don't understand the problem: If the proxy is correctly implemented it
will only send exactly *one* authentication request to a user database
even if there are several parallel outstanding HTTP requests to be
served by the proxy. If your proxy does not serialize authentication
requests and then cache authentication state then fix your proxy.
Ciao, Michael.