Page 1 of 1

login attempts

PostPosted: Sun Mar 25, 2012 10:22 am
by samhans
hai Steve and all,

can any body suggest me that how could i lock a user from login after three consecutive unsuccessful attempts .

thanks in advance

Re: login attempts

PostPosted: Sun Mar 25, 2012 4:04 pm
by shannah
Xataface already does this but it is more than 3 attempts. It is done by up address.

Re: login attempts

PostPosted: Sun Mar 25, 2012 6:31 pm
by samhans
Steve,
by address means ip address . by the way thanks.

Re: login attempts

PostPosted: Mon Mar 26, 2012 9:13 am
by samhans
Steve i tried in one of my application by giving three wrong passwords but fourth time i am able to log in

how does the lock out occurs.?

Re: login attempts

PostPosted: Mon Mar 26, 2012 9:22 am
by shannah
It is set to 20 attempts within a 30 minute window. If you have 20 failed attempts (without a successful attempt) within 30 minutes from the same IP address, that IP address will be locked for 30 minutes.

When the feature was first implemented it was set to 5, but this caused problems for applications where all the users are connecting from the same IP address. This was much more common than I thought. In this scenario, you could have 5 people type in wrong passwords and that would lock everyone out for 30 minutes. Increasing the limit to 20 still stops bots from incessantly hitting the application with different passwords, while not causing problems for regular users.

The code is found in the isLockedOut() method of the Dataface_AuthenticationTool class if you want to see the logic.
-Steve