Open neckhair opened 8 years ago
coveralls
commented
8 years ago Coverage increased (+0.06%) to 97.26% when pulling a6bb27c6e4882febe4d68118932ea67c402226ab on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
8 years ago Coverage increased (+0.06%) to 97.26% when pulling d382925be0cad73d966ae41610ad058e0072077c on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
calmyournerves
commented
8 years ago Looks good to me! Maybe it should be possible to deactivate this feature (set max_failed_login_attempts to 0)?
@pencil, @luxflux: what do you think?
luxflux
commented
8 years ago Maybe it should be possible to deactivate this feature (set
max_failed_login_attemptsto 0)?
Yes, I agree. But IMHO we should use -1 to disable the feature.
I also would like to see the lock duration configurable, what do you think @calmyournerves, @pencil?
coveralls
commented
8 years ago Coverage increased (+0.2%) to 97.391% when pulling 77f73f1e027bcf1fdd76a81df9d5b92ad587282c on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
neckhair
commented
8 years ago @calmyournerves @luxflux @pencil The feature can now be disabled by setting max_failed_login_attempts to -1. Also the timeout can be set with the config option failed_login_lock_timeout.
calmyournerves
commented
8 years ago LGTM
neckhair
commented
8 years ago @pencil Good to merge?
rwtsoftware
commented
8 years ago I believe calling validate_login_credentials before calling locked? allows an attacker to use brute force with a timing attack in order to determine the password regardless of the account being locked out.
coveralls
commented
7 years ago Coverage decreased (-0.8%) to 96.393% when pulling 8ec656283e53a2ad3083df868aa7ebd4c18043e4 on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.388% when pulling fc49a9abfbf1c4afe609ea3c2a7fe46b062d897f on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.388% when pulling fc49a9abfbf1c4afe609ea3c2a7fe46b062d897f on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.385% when pulling 5167b81a909bf2ede250d16d31c5c5fb056e5073 on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.385% when pulling b81827b8daecfb84be6b5bb8beff3cab7e2917f0 on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
cimnine
commented
7 years ago @pencil could you spend a few Minutes to review the latest changes?
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.385% when pulling e57aa7361d2b1ed26a494c076d8d9bcd6b7b2d82 on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.391% when pulling 4177592835968c524788f1a447d3f33ab4c2998d on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.391% when pulling b8b305e536986f1cb2cb014e60d4ce0f327ee355 on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
coveralls
commented
7 years ago Coverage increased (+0.2%) to 97.391% when pulling 672d1761becc9d47ca779fd9b78936ec8ea33519 on ninech:lock-user into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.
This PR introduces a new configuration option
max_failed_login_attemptswith a default value of 5. When a user unsuccessfully tries to login 5 times in a row he gets locked for 5 minutes. Technically this is done by setting the attributelocked_untilwith an offset of 5 minutes.