Sleep a server action for a given delay

aschoijett · February 21, 2020, 1:48pm

Hi,
I’m trying to protect an application from bots attempting to break the login. One of the approaches is to introduce an increasingly large delay between responses of the server action that processes the login attempt.

I do not want to embed the wait in the client side. This must all be done on the server side.

When trying to insert a delay in the server action, however, I found that I don’t know how to do it. Is there a simple way?

The workaround I thought of is to insert a record in a table (*) with a Timestart and a Delay in seconds, and then do a repeat loop until {{now}} > Timestart + Delay but that may be too expensive in server’s CPU cycles. Moreover, I thought that most systems usually have commands to “sleep” for a given Delay but I did not find any in the server action grab bag.

Any pointers on how to do this would be very helpful!

Thanks in advance,

Alex

(*) This will be slightly more complex, because the attempt may come from a defined username or from an undefined one, but I think you get the gist.

Teodor · February 21, 2020, 1:57pm

Have you considered using a "honeypot"?
Add an input in your login form, something like:

<input type="text" name="inp_honey" id="inp_honey" value="" autocomplete="off"/>

autocomplete="off" will prevent user browsers to auto-fill this input.

then hide it using CSS:

#inp_honey{
    display:none;
}

Then in your server action add a condition, which checks if {{$_POST.inp_honey}} has a value
-> then -> set status 403 Forbidden
-> else -> your login steps

You'll be surprised how good this simple check works

aschoijett · February 21, 2020, 2:09pm

Hi @Teodor,

First, thank you for the prompt answer.
Unfortunately, I don’t quite understand how the honeypot works on the client side. Can you please explain?

Also, the increasing delay in the response is a policy that my customer wants implemented. That’s why I’m asking.

Many thanks!

Teodor · February 21, 2020, 2:10pm

People don't see the input, but the bots do "see" it - so people will never fill it. If the input is filled, that means a bot is filling it. So, when the input has a value the login attempt will be blocked.

aschoijett · February 21, 2020, 2:12pm

smart!
It assumes that bots want to play, but worth adding nonetheless.

Do you have any recommendation on how to delay the server action?

Hyperbytes · February 21, 2020, 7:49pm

Try googling “sql sleep”, may be what you are looking for

aschoijett · February 23, 2020, 7:48pm

Hi @Teodor,

I’m following your instructions to implement the honeypot.
I made the change to my css file as recommended above.
In the Wappler “browser”, I can see that the field is now hidden:

In my Chrome browser, however, it is not.

Why is that?

Teodor · February 23, 2020, 8:01pm

Have you tried clearing the cache?
Did you upload your CSS file to the server?

TomD · February 23, 2020, 8:22pm

I don’t know what the problem is. However, I think there is something to be said for a slightly different approach, mentioned in this thread. I have read that some robots will look for inputs with display:none; - and ignore them.

George · February 23, 2020, 8:31pm

This should be:

#name-honey{ display:none; }

aschoijett · February 23, 2020, 8:40pm

I did upload it.
That said, I had not cleared the cache. Did that and now the page works as expected.

Much appreciated.

aschoijett · February 23, 2020, 8:46pm

Yes. I noticed that the but forgot to mention it to you. I created that line from within wappler, using the “Styles” tab.
Thank you again!

cknight · July 22, 2022, 9:01am

Hi,

I have used the method suggested by @Teodor successfully which I built with W5 Beta version .5

I have gone to try and create another anti-spam workflow in the newly released W5 and the ELSE step is not appearing after the Response step, is this part of the update or a bug?

Many thanks
CK

bpj · July 22, 2022, 10:36am

Just right click on then and you can add an else

cknight · July 22, 2022, 11:08am

Brilliant