search

umbraco / Umbraco-CMS

Umbraco is a free and open source .NET content management system helping you deliver delightful digital experiences.
https://umbraco.com
MIT License
4.42k stars 2.67k forks source link

Members not locked out after failed login attempts #9861

Closed iishnz closed 3 years ago

iishnz commented 3 years ago

Bug summary

A front-end member can enter an unlimited amount of incorrect password attempts without being locked out. The number of failed password attempts does not get recorded in the member property in the Backoffice. There is also an issue the the last login date in that it can revert to an older date but I think this is caused by the same bug.

Umbraco version

This is not working in 8.11.1 - it was previously working in 8.6.4

Reproduction

  1. On a fresh install of Umbraco with built-in with the starter kit

  2. Create the following partial views using the built-in snippets:

    • Login
    • Login Status

  3. Edit the Home template and added the following somewhere near the top:

<section class="section">
@Html.Partial("~/Views/Partials/Login.cshtml")
@Html.Partial("~/Views/Partials/Login Status.cshtml")
</section>

  1. Create a member in the back-office to test with.

  2. On the homepage, login with your test member using an invalid password

  3. In the back-office, go to the members section and review the "Failed Password Attempts" property for your test member, it will probably say "1"

  4. On the homepage, try and log in again with your test member using an invalid password, then check the back-office again, the "Failed Password Attempts" did not change.

  5. By default a member should be locked out after 5 invalid attempts. Try logging in 20 times with and invalid password, then try with the correct password - The member is logged in.

Expected result

Failed login attempts should be record, A member should be locked after a certain amount of failed password attempts.

Actual result

The member was not locked out and the number of failed login attempts was not recorded.

_This item has been added to our backlog AB#10589_

reneemhaas-diagram commented 3 years ago

Adding that this is also not working in 8.9.2.

bergmania commented 3 years ago

I can reproduce, and my finding so far is that it is a caching issue.

bergmania commented 3 years ago

@nul800sebastiaan, The bug was introduced in 8.6.5

nul800sebastiaan commented 3 years ago

Fixed in PR https://github.com/umbraco/Umbraco-CMS/pull/9921 and cherry picked for patch releases from 8.6 upwards.