> Betreff: [Zope-dev] z3c.password and "failedAttempts"
> I'm looking into integrating z3c.password into an application
> that also uses the PAU with the principal folder,
> InternalPrincipals and the SessionCredentialsPlugin.
> One of the features of z3c.password that I'd like to use is
> locking out an user account after a number of failed login attempts.
> z3c.password provides such a feature.
> However, it seems this feature does not play well with the
> The SessionCredentials will store the login and password that
> were submitted through the login form in a session. This
> login/password combination then is checked against the
> internal principal stored in the principal folder.
> If the password is correct then (obviously) everything is fine.
> When the password is incorrect, the user is directed back to
> the login form as authentication failed. If the page with the
> login form retrieves resources (like images or css of
> authenticate every request, the wrongful login/password
> combination is checked multiple times for that page and its
> resources against the internal principal object.
> The internal principal mixin of z3c.password will count the
> number of failed checks. If you tell it to lock out an user
> after, say, three failed attempts, you have a problem, as the
> number of login page resources (thus requests) will quite
> easily outnumber the maximum number of attempts.
> Questions: is anyone using this feature of z3c.password in
> combination with the SessionCredentialsPlugin? If this is
> working for you, do you have any idea what I am doing wrong
> here? What type of authentication are the authors of
> z3c.password using?
Probably Adam can tell you more about that.
One solution could be to offload your resources and
deliver them from Apache or Nginx Frontend.
> Thanks for any insight here.
> Zope-Dev maillist - Zope-Dev@zope.org
> ** No cross posts or HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope )
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -