"Roger" <d...@projekt01.ch> wrote:
>> Betreff: [Zope-dev] z3c.password and "failedAttempts" 
>> andSessionCredentialsPlugin
>> I'm looking into integrating z3c.password into an application 
>> that also uses the PAU with the principal folder, 
>> InternalPrincipals and the SessionCredentialsPlugin.
>> One of the features of z3c.password that I'd like to use is 
>> locking out an user account after a number of failed login attempts. 
>> z3c.password provides such a feature.
>> However, it seems this feature does not play well with the
>> SessionCredentialsPlugin:
>> The SessionCredentials will store the login and password that 
>> were submitted through the login form in a session. This 
>> login/password combination then is checked against the 
>> internal principal stored in the principal folder.
>> If the password is correct then (obviously) everything is fine.
>> When the password is incorrect, the user is directed back to 
>> the login form as authentication failed. If the page with the 
>> login form retrieves resources (like images or css of 
>> javascript files) and since the zopepublication will _try_ to 
>> authenticate every request, the wrongful login/password 
>> combination is checked multiple times for that page and its 
>> resources against the internal principal object.
>> The internal principal mixin of z3c.password will count the 
>> number of failed checks. If you tell it to lock out an user 
>> after, say, three failed attempts, you have a problem, as the 
>> number of login page resources (thus requests) will quite 
>> easily outnumber the maximum number of attempts.
>> Questions: is anyone using this feature of z3c.password in 
>> combination with the SessionCredentialsPlugin? If this is 
>> working for you, do you have any idea what I am doing wrong 
>> here? What type of authentication are the authors of 
>> z3c.password using?
> Probably Adam can tell you more about that.

I hope so :-) At this point I do not see how this feature can work except 
with PAU's BasicAuth - or in tests, where the page's resources generally 
are not fetched and this the problem is not exposed...

> One solution could be to offload your resources and 
> deliver them from Apache or Nginx Frontend.

This might work for generic resources in a page, but not for, for 
example, images in the page or something that needed computation. It 
would essentially only counter the symptoms.

Thanks you for your reply.


Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to