"Roger" <[email protected]> wrote: >> Betreff: [Zope-dev] z3c.password and "failedAttempts" >> andSessionCredentialsPlugin >> >> I'm looking into integrating z3c.password into an application >> that also uses the PAU with the principal folder, >> InternalPrincipals and the SessionCredentialsPlugin. >> >> One of the features of z3c.password that I'd like to use is >> locking out an user account after a number of failed login attempts. >> z3c.password provides such a feature. >> >> However, it seems this feature does not play well with the >> SessionCredentialsPlugin: >> >> The SessionCredentials will store the login and password that >> were submitted through the login form in a session. This >> login/password combination then is checked against the >> internal principal stored in the principal folder. >> >> If the password is correct then (obviously) everything is fine. >> >> When the password is incorrect, the user is directed back to >> the login form as authentication failed. If the page with the >> login form retrieves resources (like images or css of >> javascript files) and since the zopepublication will _try_ to >> authenticate every request, the wrongful login/password >> combination is checked multiple times for that page and its >> resources against the internal principal object. >> >> The internal principal mixin of z3c.password will count the >> number of failed checks. If you tell it to lock out an user >> after, say, three failed attempts, you have a problem, as the >> number of login page resources (thus requests) will quite >> easily outnumber the maximum number of attempts. >> >> Questions: is anyone using this feature of z3c.password in >> combination with the SessionCredentialsPlugin? If this is >> working for you, do you have any idea what I am doing wrong >> here? What type of authentication are the authors of >> z3c.password using? > > Probably Adam can tell you more about that.
I hope so :-) At this point I do not see how this feature can work except with PAU's BasicAuth - or in tests, where the page's resources generally are not fetched and this the problem is not exposed... > One solution could be to offload your resources and > deliver them from Apache or Nginx Frontend. This might work for generic resources in a page, but not for, for example, images in the page or something that needed computation. It would essentially only counter the symptoms. Thanks you for your reply. regards, jw _______________________________________________ Zope-Dev maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
