Hi all, while reviewing the authentication failure handling, I noticed
that the current behavior around *maxAuthenticationAttempts* seems
counterintuitive.
With `maxAuthenticationAttempts = 3`, the user is currently suspended
only after the fourth failed login attempt. This happens because the
suspension check uses a strict `>` comparison against the configured
threshold.
My expectation would be that `maxAuthenticationAttempts` represents the
maximum number of failed authentication attempts allowed before
suspension, so a value of `3` should suspend the user on the third
failed attempt.
I also did a quick check around and the behaviour is always: when the
configured maximum is reached, the account is disabled.
Do you think it would make sense to change the check from > to >=, so
that the account is suspended when the configured threshold is reached?
For example:
* maxAuthenticationAttempts = 3
* failed login #1 -> failedLogins = 1, user not suspended
* failed login #2 -> failedLogins = 2, user not suspended
* failed login #3 -> failedLogins = 3, user suspended
Thanks,
Massimiliano
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
