device cookie lockout list storage advice?
unusualevent opened this issue · comments
On the device cookies idea: https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies
How would you store the lockout list entries?
The individual entries expire, no?
Plus you might want a quick reference to "device cookie" -> banned(bool), or "IP" -> limited(bool), or "username" -> limited(bool)
Is it meant to be stored as an in-memory KV? or stored in Redis for clustering?
What would an ideal table layout be?