Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User is never locked out on failed login attempts #1905

Closed
Neutrino-Sunset opened this issue Jul 21, 2022 · 1 comment
Closed

User is never locked out on failed login attempts #1905

Neutrino-Sunset opened this issue Jul 21, 2022 · 1 comment
Labels
core-identity enhancement
Milestone
Version 10.3

Comments

@Neutrino-Sunset
Copy link

No matter how many times the user enters the wrong password they are never locked out.

This is true irrespective of whether you set MaxFailedAccessAttempts or not.

The Piranha_Users.AccessFailedCount entry in the database is never updated. Manually setting it to a value greater than MaxFailedAccessAttempts also has no effect.

Either this is a bug, or this documentation is wrong, or I'm doing something wrong. But I've just tested this using your own project template and it looks broken to me.
@Neutrino-Sunset
Copy link
Author

Also since POST /manager/login returns 200 on failed login I can't set up a monitor on the web server to detect 401 errors and raise an alert for brute force authentication attacks. Which since the user is never locked out on multiple failed login attampts is a major problem.

@sayganov sayganov mentioned this issue Jul 22, 2022
Closed
@tidyui tidyui added this to the Version 10.3 milestone Sep 29, 2022
@tidyui tidyui closed this as completed in f6d4ce9 Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core-identity enhancement
Projects
None yet
Milestone
Version 10.3
Development

No branches or pull requests
2 participants
@tidyui @Neutrino-Sunset