https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314
--- Comment #6 from Jonathan Druart <jonathan.dru...@bugs.koha-community.org> --- Created attachment 61632 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61632&action=edit Bug 18314: Account lockout To prevent brute force attacks on Koha accounts, staff and opac, we need to implement an account lockout process to Koha. After a number of failed login attempts a users account would become locked. The user would then need to use the reset password functionality to send a reset token to their email account. After a successful password reset the lockout flag would be removed. The number of failed login attempts before lockout is configurable using a new system preference 'FailedLoginAttempts'. How does it work? When a patron enter an invalid password, the borrowers.login_attempts value for this patron is incremented. When this value reach the value of the pref FailedLoginAttempts, the password comparison is not done and the authentication is rejected. This login_attempts field is reset when a patron correctly logs in. When the account is locked the patron has to reset his/her password using the OpacResetPassword feature or ask a staff member to generate a new password. If the pref is not set (0, or '') the feature is considered as disabled, but the failed login attempts are stored anyway. Test plan: 0/ Apply patch and execute the update DB entry 1/ Switch on the feature by setting FailedLoginAttempts to 3 2/ Use an invalid password to login at the staff or OPAC interface 3/ After the third consecutive failures, you will be asked to reset your password if OpacResetPassword is set, or contact a staff member 4/ Switch on OpacResetPassword and reset your password 5/ Confirm that you are able to login 6/ Play with the different combinations QA details: The trick happens in C4::Auth::checkpw, to make things clear I had to create a return value (note the awesome name: @return) and replace the 3 successives if statements with elsif. Indeed if one of the condition is reached, it will return inside the given block. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/