I'm working on a way to manage rate limiting for user actions like password resets and logins. I want to make sure that legitimate users wait about 5 minutes before they can request another password reset link via email. I noticed in my server logs from SendGrid that some users are impatient and can't wait even 60 seconds for the reset email to arrive. Additionally, I've seen potential malicious attempts where passwords are being requested repeatedly. I'm developing a file to manage incoming requests, and I'm not sure whether to limit requests by just IP address, by both IP and user account, or some other method. Also, how can I prevent locking out legitimate users while still managing potential abuse?
2 Answers
For handling password resets, it's a good idea to limit requests by email address. This way, you can prevent any targeted attacks on specific users. Additionally, implement IP-based limits to stop mass requests coming from one source. When it comes to failed login attempts, consider using exponential backoff instead of applying fixed timeouts. Also, adding a CAPTCHA after a few failed attempts can help avoid accidentally locking out real users.
Honestly, if a password reset email is taking 60 seconds to arrive, I’d probably try clicking again too, thinking it didn’t work the first time! Just so you know, sometimes email systems run on a schedule, like cron jobs that check for outgoing emails every 60 seconds. Depending on when someone requests the reset, they might not get the email immediately, but you could reduce that wait time and improve user experience.
Right, that makes sense! I didn’t think about the cron job timing affecting delivery. Thanks for the tip!