I've implemented a customlogin in my zone extension following the examples. It works. My question is about what happens when the user password is incorrect.
I noticed on the client side, I get the login error thrown from the server with the error message pretty quickly. But the actual disconnect event that comes from the socket disconnecting doesn't happen until after some time (the server login timeout, which I left at default 30s).
Is this expected behavior? If so, doesn't this open up the server to DoS attacks? Make enough requests of the server with random passwords, and it'll eat up all the of server's socket connections since they don't get released for 30s? Is there a way in the custom extension to disconnect the socket connection sooner once it's detected they have the wrong password?
I do call disconnect from the client side to close the connection once I receive the login error. But malicious actors will not be nice about it.
Custom Login Failure Disconnect Time
Re: Custom Login Failure Disconnect Time
Sure,
if you're worried about this kind of abuse you could shut down the connection immediately.
At the same time I am not sure if it's the best approach for legitimate users. If I typed my password incorrectly I'd like to get at least another chance before being kicked out.
In any case what you ask can be done by calling:
where sessionObj is the session object passed in the Login event.
Cheers
if you're worried about this kind of abuse you could shut down the connection immediately.
At the same time I am not sure if it's the best approach for legitimate users. If I typed my password incorrectly I'd like to get at least another chance before being kicked out.
In any case what you ask can be done by calling:
Code: Select all
getApi().disconnect(sessionObj);
where sessionObj is the session object passed in the Login event.
Cheers
Who is online
Users browsing this forum: No registered users and 59 guests