Counter only for invalid data

[IamBelka]

Good day, is it possible to configure the plugin, in which the reverse attempt counter will be activated only when you enter incorrect data-username\password. The counter now counts logins to the account, even if the data is entered correctly

[codeling]

I think I don't understand the question - because as far as I understand, bfstop already does (or, at least, is supposed to do) exactly what you are asking for:

is it possible to configure the plugin, in which the reverse attempt counter will be activated only when you enter incorrect data-username\password.

By the "reverse attempt counter" I guess you mean the optional feature where BFStop shows how many login attempts are remaining before the user is blocked, right? This notification should for starters only be shown if invalid credentials where entered, in a message region on the login page. When you log in successfully you should not get any message.

The counter now counts logins to the account, even if the data is entered correctly

If I understand this correctly, what you currently observe BFStop doing is this: You enter valid credentials on the login page, and then you see somewhere how many times you have entered valid credentials so far. If you enter invalid credentials however, you see no message / no hint on how many remaining attempts. Does this correctly summarize what you see? Could you maybe elaborate a bit - e.g., on: Are you able to login with valid credentials, or are you redirected back to the login page? Can you tell me where you see this number of correctly entered data? Can you give a concrete example, ideally with e.g. screenshots of the behaviour you see?

[IamBelka]

Good day, thank you for such a quick reply. I use BFStop to control user login to the site. When you activate the "ENTER" button, a message already appears that "you have 5 attempts to enter," while the user has not yet entered the data on the site. If the data is entered correctly, the user logs on to the site, but then logs out and re-enters the data, the counter continues to count - 4-3-2-1. But such a problem only when users log in to the site, through /administrator/index.php/ everything works correctly.

[codeling]

I use BFStop to control user login to the site.

I suppose this starts on the login page (yourdomain.com/index.php/component/users/?view=login), right? Does the message already appear when loading that page, or does the user have to do anything for the message to appear? How are you navigating to the login page - is it the start page of your website, do you have a link there, or do you have the login module enabled somewhere and users come to the login page via that?

When you activate the "ENTER" button, a message already appears that "you have 5 attempts to enter," while the user has not yet entered the data on the site.

What do you mean by "activating" the ENTER button? Pressing it? If you mean pressing the Enter key, then this does submit the login form, this is a standard behavior for forms on any website. This might explain why you see the warning, because if you submit via the Enter key, this counts as a login attempt, just the same as if you would click on the "Login" button. But you said users have not entered anything yet at this point, so I wonder how they could submit anything in that case, since in my Joomla installation, a local Javascript and/or some validation hints for the user/password inputs (which are embedded in the login form by Joomla itself, not by my plugin) prevent the form to be submitted with no data entered. Could it be that there are some browser extension in play, which disable javascript and this validation? To what did you set the "Remaining attempts" setting in the plugin configuration on the "Advanced" tab in the Joomla backend?

Successful login attempts should (and do in my case) reset the number of remaining login attempts. In your case, when do you see the message? Immediately when you navigate to the login page again after logging out? When you press enter on it? Are you sure the user was properly logged in in-between these attempts where the countdown continues?

What bfstop and Joomla version are you using, what is the php version on your server? What browser have you/your users tried, what extensions are installed on these? There must be something specific about your environment causing the issue you see, because I have not heard reports about similar behavior yet from any other user (as far as I can remember).

[IamBelka]

Good day, Yes, the site includes the standard module "Login to the site". To log in to the site, the user clicks on the button and goes to the address component/users/?view=login&Itemid=101. In this case, the system displays the message "Empty password is invalid" and "there are 5 attempts left to enter". It is likely that this is the reason for the error-it is possible that a login request is already generated when you click on it. If I refresh the page using ctrl+f5, then bfstop also believes that there was an attempt to log in with incorrect data. Installed joomla 3.9.5, bfstop 1.4.1, PHP 7.2.15. Browsers-chrome, yandex. Without additional extensions and on different computers. bfstop is configured as standard with a limit of 5 attempts. The problem is that I'm new to this business and I may not catch the subtleties.

[codeling]

For me, the "Login" module already contains user and password inputs, but yes, here the javascript / validation hints are missing. You don't see any username/password inputs in that module? Then there seems to be something wrong with your template (most likely), or the Login module itself is faulty (less likely). The Login button on that module triggers a form submit (meaning a login attempt), but in your case with no username and password (when the respective inputs aren't shown nothing can be entered).

If you can't easily fix the template (/the module), as a workaround, I would suggest that instead of the module, you use a single article module with a link directly to the login page.

If you press Ctrl+F5, and you came to the current site by clicking Enter / submitting a form via a button, then browsers typically ask whether you want to re-submit the form data - and if you click yes there, then of course, this counts as an additional login attempt - the server just sees the additional request, and it wouldn't make sense to try and check whether this might be a refresh, because the credentials are checked in that request, meaning, functionally, it is indistinguishable from another login attempt, and, if exempted, could allow attackers additional, "free" attempts.

Joomla 3.9.5 is rather outdated, I recommend updating to the latest 3.9.19 (though this willl probably not change anything for this issue).

[codeling]

Actually, correction to my previous statement that a valid login would reset the counter: this is not the case; intentionally so, otherwise an attacker could register an account, then try a few credentials, log in successfully with his registered account, and then continue with more attempts.

The main problem here in this issue though is the missing input for username and password in the Login module (I think)!

[IamBelka]

I apologize for bothering you, and thank you for your answers and help. I will try to fix the error

[codeling]

No worries, it didn't bother me ;) Turns out in the process, I re-learned something about my own software - it's been a while since I last updated it...