Hi Jan > Betreff: [Zope-dev] z3c.password and "failedAttempts" > andSessionCredentialsPlugin > > Hi, > > I'm looking into integrating z3c.password into an application > that also uses the PAU with the principal folder, > InternalPrincipals and the SessionCredentialsPlugin. > > One of the features of z3c.password that I'd like to use is > locking out an user account after a number of failed login attempts. > z3c.password provides such a feature. > > However, it seems this feature does not play well with the > SessionCredentialsPlugin: > > The SessionCredentials will store the login and password that > were submitted through the login form in a session. This > login/password combination then is checked against the > internal principal stored in the principal folder. > > If the password is correct then (obviously) everything is fine. > > When the password is incorrect, the user is directed back to > the login form as authentication failed. If the page with the > login form retrieves resources (like images or css of > javascript files) and since the zopepublication will _try_ to > authenticate every request, the wrongful login/password > combination is checked multiple times for that page and its > resources against the internal principal object. > > The internal principal mixin of z3c.password will count the > number of failed checks. If you tell it to lock out an user > after, say, three failed attempts, you have a problem, as the > number of login page resources (thus requests) will quite > easily outnumber the maximum number of attempts. > > Questions: is anyone using this feature of z3c.password in > combination with the SessionCredentialsPlugin? If this is > working for you, do you have any idea what I am doing wrong > here? What type of authentication are the authors of > z3c.password using?
Probably Adam can tell you more about that. One solution could be to offload your resources and deliver them from Apache or Nginx Frontend. Regards Roger Ineichen > Thanks for any insight here. > regards, > jw > > > > _______________________________________________ > Zope-Dev maillist - [email protected] > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) > _______________________________________________ Zope-Dev maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
