This is a bit trickier than it sounds, not from a programming perspective, but from a usability perspective---you also want to make sure that no one can launch a denial of service attack by locking someone out of an account. Think about things like:
- having the lockout time be limited - just locking out a specific i.p. for a while - simply adding a captcha after two failures in a row I'm planning on integrating support for yubikey soon. That should help a lot with password problems. :) Another super useful thing to do is to tell the user: - when they last logged in and from where - how many failed login attempts have happened since then and from where Then you can be alert to potential problems. On Dec 25, 11:31 am, Christopher Arndt <[email protected]> wrote: > Nicolas R. schrieb: > > > at first, Merry Christmas to all! > > Same to you! > > > I am looking for a way to disable a user after 10 failed login attempts. > > I am currently using the default login mechanism provided by turbogears. > > Is there a possibility to just activate this option or some kind of a > > plugin? Or do I have to write the whole login procedure new? > > I'm assuming you talk about TG 1.x. No, there is no built-in > functionality for this. You have to write your own identity provider > subclass, which overwrites the validate_password method. > > Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
