Pospone reponse to the user

[Lukasz Kuczera]

I'd like to delay http response sent to the user. Naive solution is to use Thread.sleep but it will starve the application out threads. Is it possible to do it in more graceful way ?

[David Pollak]

On Sat, May 19, 2012 at 1:32 AM, Lukasz Kuczera <kuk...@gmail.com> wrote:

I'd like to delay http response sent to the user. Naive solution is to use Thread.sleep but it will starve the application out threads. Is it possible to do it in more graceful way ?

Are you talking about a full page load or a REST request?  Why the delay?

 

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

--

Visi.Pro, Cloud Computing for the Rest of Us http://visi.pro

Lift, the simply functional web framework http://liftweb.net

Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im

[Lukasz Kuczera]

Well both, I can solve my problem different way but would like to know if that is possible in Lift and if not how that could be done, sounds to me like some continuations stuff maybe but I don't know how requests are handled that deeply.

Ok so our problem is to prevent spamming our login page with requests. Some sites give captcha after few unsuccessful log in attempts. I thought in first about delay after few. It should prevent it but captcha solution might be good here as well.

[David Pollak]

On Sat, May 19, 2012 at 11:17 AM, Lukasz Kuczera <kuk...@gmail.com> wrote:

Well both, I can solve my problem different way but would like to know if that is possible in Lift and if not how that could be done, sounds to me like some continuations stuff maybe but I don't know how requests are handled that deeply.

Ok so our problem is to prevent spamming our login page with requests. Some sites give captcha after few unsuccessful log in attempts. I thought in first about delay after few. It should prevent it but captcha solution might be good here as well.

Just doing a Thread.sleep if you've got a bunch of failed logins should be fine.  Blocking 3 or 4 threads at once isn't going to cause issues.  Blocking 1,000 threads at a time with Thread.sleep could cause issues.

 

On Saturday, May 19, 2012 5:44:43 PM UTC+2, David Pollak wrote:

On Sat, May 19, 2012 at 1:32 AM, Lukasz Kuczera <kuk...@gmail.com> wrote:

I'd like to delay http response sent to the user. Naive solution is to use Thread.sleep but it will starve the application out threads. Is it possible to do it in more graceful way ?

Are you talking about a full page load or a REST request?  Why the delay?

 

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

--

Visi.Pro, Cloud Computing for the Rest of Us http://visi.pro

Lift, the simply functional web framework http://liftweb.net

Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

[Łukasz Kuczera]

I'd expect nasty user to do that. It would take our site down if launched properly am I right ?

Łukasz Kuczera

http://acidbits.org/blog

[Sander Mak]

How about doing the delay clientside, by emitting some Javascript using a long setTimeout() to make the page functional after many failed logins?

--

@Sander_Mak

http://branchandbound.net

[David Pollak]

On Sat, May 19, 2012 at 1:03 PM, Łukasz Kuczera <l.ku...@jextreme.pl> wrote:

I'd expect nasty user to do that. It would take our site down if launched properly am I right ?

I doubt that someone is going to try to DoS your site right now.  That's an issue you can deal with when it comes up.  If it's a malicious user who has an attack launched from a single IP address, it's pretty easy to detect the DoS and then shut down the IP address (keep in mind that it'd have to be a very cleaver script to repeatedly try to log in, but use the same cookie each time until it triggered the Thread.sleep and then launch that script so it was doing the same thing across 500 threads/login attempts.)  If you start getting a lot of these login failures, check your logs and if the requests are coming from the same IP address, just block that IP address (iptables, nginx, etc.)

If the attack is a DDoS that's got the above sophistication, you'll have to do some serious work.  I know a company that has request analysis infrastructure to deal with DDoS... a friend of mine is an engineer there.  The number of companies that have to worry about an intelligent, coordinated, DDoS attack is very limited and it usually has to do with some combination of money and politics (i.e., being Twitter and hosting Arab Spring conversations, being PayPal and shutting down WikiLeak's funding.)  Basically, you've pissed off a government or Anonymous.

For you guys... don't worry.  It's generally a good problem to have... you're making such an impact that one of the big guns tries to take you out.

[Łukasz Kuczera]

Thanks for hearty response. Indeed we are not afraid of it now, but looking into the future and was wandering about potential ways to go around. Our company is built on top of "security" so we have to take it seriously.

[Diego Medina]

Would something like this help you?
http://wiki.nginx.org/HttpLimitReqModule

Regards,

Diego

Diego Medina
Lift/Scala Developer
di...@fmpwizard.com
http://www.fmpwizard.com

[Lukasz Kuczera]

We can't control our load balancer that much at this moment. I'll probably use captcha after three tries.