Sleep a server action for a given delay

Hi,
I’m trying to protect an application from bots attempting to break the login. One of the approaches is to introduce an increasingly large delay between responses of the server action that processes the login attempt.

I do not want to embed the wait in the client side. This must all be done on the server side.

When trying to insert a delay in the server action, however, I found that I don’t know how to do it. Is there a simple way?

The workaround I thought of is to insert a record in a table (*) with a Timestart and a Delay in seconds, and then do a repeat loop until {{now}} > Timestart + Delay but that may be too expensive in server’s CPU cycles. Moreover, I thought that most systems usually have commands to “sleep” for a given Delay but I did not find any in the server action grab bag.

Any pointers on how to do this would be very helpful!

Thanks in advance,

Alex

(*) This will be slightly more complex, because the attempt may come from a defined username or from an undefined one, but I think you get the gist.

Have you considered using a "honeypot"?
Add an input in your login form, something like:

<input type="text" name="inp_honey" id="inp_honey" value="" autocomplete="off"/>

autocomplete="off" will prevent user browsers to auto-fill this input.

then hide it using CSS:

#inp_honey{
    display:none;
}

Then in your server action add a condition, which checks if {{$_POST.inp_honey}} has a value
-> then -> set status 403 Forbidden
-> else -> your login steps

You'll be surprised how good this simple check works :slight_smile:

2 Likes

Hi @Teodor,

First, thank you for the prompt answer.
Unfortunately, I don’t quite understand how the honeypot works on the client side. Can you please explain?

Also, the increasing delay in the response is a policy that my customer wants implemented. That’s why I’m asking.

Many thanks!

People don't see the input, but the bots do "see" it - so people will never fill it. If the input is filled, that means a bot is filling it. So, when the input has a value the login attempt will be blocked.

smart!
It assumes that bots want to play, but worth adding nonetheless.

Do you have any recommendation on how to delay the server action?

Try googling “sql sleep”, may be what you are looking for

Hi @Teodor,

I’m following your instructions to implement the honeypot.
I made the change to my css file as recommended above.
In the Wappler “browser”, I can see that the field is now hidden:

image

In my Chrome browser, however, it is not.
image

Why is that?

Have you tried clearing the cache?
Did you upload your CSS file to the server?

I don’t know what the problem is. However, I think there is something to be said for a slightly different approach, mentioned in this thread. I have read that some robots will look for inputs with display:none; - and ignore them.

This should be:

#name-honey{ display:none; }

1 Like

I did upload it.
That said, I had not cleared the cache. Did that and now the page works as expected.

Much appreciated.

1 Like

Yes. I noticed that the but forgot to mention it to you. I created that line from within wappler, using the “Styles” tab.
Thank you again!

Hi,

I have used the method suggested by @Teodor successfully which I built with W5 Beta version .5

I have gone to try and create another anti-spam workflow in the newly released W5 and the ELSE step is not appearing after the Response step, is this part of the update or a bug?

Many thanks
CK

Just right click on then and you can add an else

Brilliant