Delay Django HttpResponse for a particular request

Question

I am writing a simple solution for brute force login attempts. I need to add delay before sending the response if there were many failed attempts. What do you guys suggest to add delay for individual requests? It has to be per request so that the thread serving a particular resource should not be affected for the next request.

Thanks.

EDIT: According to this question when running on Apache on Webfaction time.sleep will delay the next request to the same resource.

So what could be an alternative to time.sleep in this case?

Answer 1

If you delay response in threaded server, your service will be prone to DOS-attack. Attacker may send may requests at once, and all your threads will sleep at once...

You should better to ask CAPTCHA if there are too many attempts from same IP.

Upd: I would use Twisted (or Tornado, but I never used it) and nginx (not Apache) as frontend. You may even use both Twisted and Django, but you will have to write code that imitates Django auth and session with Twisted, writing proper data into database.

Answer 2

Http is a stateless protocol. The only way to connect requests is to store the session information somewhere client side. Since you cant control client behavior, the best chance is to log failed login attempts on the serverside and delay login routine for those accounts.

Answer 3

Downvote me if I'm wrong, but I think each thread only processes one request at a time. Thus, if you want a slow request, just do a time.sleep in that thread and the server will take a longer time to process it without affecting the other concurrent requests.