search

silverstripe / silverstripe-framework

Silverstripe Framework, the MVC framework that powers Silverstripe CMS
https://www.silverstripe.org
BSD 3-Clause "New" or "Revised" License
721 stars 821 forks source link

LoginAttempt written for every controller in stack when using BasicAuth #10832

Open mikey-harveycameron opened 1 year ago

mikey-harveycameron commented 1 year ago

Affected Version

SS4.13

Description

The LoginAttempt table is written to by every controller when the site is accessed using BasicAuth. This includes Elemental block controllers. The LoginAttempt table quickly becomes massive and the site slows down.

Is it necessary to record BasicAuth attempts? If so, can we restrict to the top controller? And only once per session?

Steps to Reproduce

  1. Add lots of elemental blocks to a page.
  2. SS_USE_BASIC_AUTH="ADMIN"
  3. Reload the page a few times.
  4. Marvel at your bloated database.
maxime-rainville commented 1 year ago

I don't think that's default behaviour. Security::login_recording is to false by default.

mikey-harveycameron commented 1 year ago

I don't think that's default behaviour. Security::login_recording is to false by default.

This is correct, but it was also made dependent on max login attempts, which is set to 10, so it is never false!