"Roger" <d...@projekt01.ch> wrote:
>> Betreff: [Zope-dev] z3c.password and "failedAttempts"
>> I'm looking into integrating z3c.password into an application
>> that also uses the PAU with the principal folder,
>> InternalPrincipals and the SessionCredentialsPlugin.
>> One of the features of z3c.password that I'd like to use is
>> locking out an user account after a number of failed login attempts.
>> z3c.password provides such a feature.
>> However, it seems this feature does not play well with the
>> The SessionCredentials will store the login and password that
>> were submitted through the login form in a session. This
>> login/password combination then is checked against the
>> internal principal stored in the principal folder.
>> If the password is correct then (obviously) everything is fine.
>> When the password is incorrect, the user is directed back to
>> the login form as authentication failed. If the page with the
>> login form retrieves resources (like images or css of
>> authenticate every request, the wrongful login/password
>> combination is checked multiple times for that page and its
>> resources against the internal principal object.
>> The internal principal mixin of z3c.password will count the
>> number of failed checks. If you tell it to lock out an user
>> after, say, three failed attempts, you have a problem, as the
>> number of login page resources (thus requests) will quite
>> easily outnumber the maximum number of attempts.
>> Questions: is anyone using this feature of z3c.password in
>> combination with the SessionCredentialsPlugin? If this is
>> working for you, do you have any idea what I am doing wrong
>> here? What type of authentication are the authors of
>> z3c.password using?
> Probably Adam can tell you more about that.
I hope so :-) At this point I do not see how this feature can work except
with PAU's BasicAuth - or in tests, where the page's resources generally
are not fetched and this the problem is not exposed...
> One solution could be to offload your resources and
> deliver them from Apache or Nginx Frontend.
This might work for generic resources in a page, but not for, for
example, images in the page or something that needed computation. It
would essentially only counter the symptoms.
Thanks you for your reply.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -