http basic authentication - maximum allowed trial times?

I am working on a login section for a new project, which definitely requires user authentication.

The easiest way of doing that I assume would be using the http basic authentication. I implemented it fine on the Apache server, ssl was also intorudc开发者_开发百科ed to provide better security.

However, one thing concerns me, that it seems the basic authentication wouldn't stop no matter how many times a user failed to provide a valid username/password crentential. It would just keep asking...

I reckon, since each time the web server receives the credential, it needs to go through the password file to look up whether a match exists or not, it takes a certain amount of server resources. My question is, would this be a security risk of having DoS attack by malicious users?

If so, how can I stop this? By adding some configuration/feature onto the Apache? Or just swap to some other authentication method? Digest Authencation?

Many thanks to the advices in advance.

Handle the http authentication yourself, keep a count on amount of logins based on ip address (over a given time), and then just return 401 if the limits are reached.

mod_perl 2.0: http://perl.apache.org/docs/2.0/user/handlers/http.html#toc_PerlAuthenHandler

mod_php: http://no.php.net/manual/en/features.http-auth.php

mod_python: http://www.modpython.org/live/mod_python-3.2.8/doc-html/tut-more-complicated.html

Step 1: Read this: http://en.wikipedia.org/wiki/Denial-of-service_attack#Prevention_and_response

Step 2: Implement this. Create a set of counters indexed by IP address. Each failure from an IP address increases the counter. The counter is the sleep time -- in seconds. 10 failed attempts means 10 seconds for the 401 response.