Adam GROSZER <> wrote:

Thank you for your reply!

> Right. Well right now the lame solution is to try to count the number
> of resources needed to load the page and multiply maxFailedAttempts by
> that number.
> Other than that you _will_ want to offload resources in production.

Oh, sure in _production_ I will. But what about testing and development. And 
counting the number of resources is highly unpredictable - esp. as I'm working 
on applications that can be easily skinned for different clients.

> (An other idea could be to try to identify requests that are not for
> resources, but how?)

There's no real way as far as I can tell :|

Even worse, if Zope were to handle one or more login page requisites, you can 
easily get database write conflicts as multiple "simultaneous" requests will 
to increase the failed login attempts counter on the internal principal object.

Can I conclude this particular feature of z3c.password is not really in use by 
anyone else (at least not in combination with the SessionCredentialsPlugin)?


> Tuesday, January 19, 2010, 12:16:38 AM, you wrote:
>>> Betreff: [Zope-dev] z3c.password and "failedAttempts" 
>>> andSessionCredentialsPlugin
>>> Hi,
>>> I'm looking into integrating z3c.password into an application 
>>> that also uses the PAU with the principal folder, 
>>> InternalPrincipals and the SessionCredentialsPlugin.
>>> One of the features of z3c.password that I'd like to use is 
>>> locking out an user account after a number of failed login attempts. 
>>> z3c.password provides such a feature.
>>> However, it seems this feature does not play well with the
>>> SessionCredentialsPlugin:
>>> The SessionCredentials will store the login and password that 
>>> were submitted through the login form in a session. This 
>>> login/password combination then is checked against the 
>>> internal principal stored in the principal folder.
>>> If the password is correct then (obviously) everything is fine.
>>> When the password is incorrect, the user is directed back to 
>>> the login form as authentication failed. If the page with the 
>>> login form retrieves resources (like images or css of 
>>> javascript files) and since the zopepublication will _try_ to 
>>> authenticate every request, the wrongful login/password 
>>> combination is checked multiple times for that page and its 
>>> resources against the internal principal object.
>>> The internal principal mixin of z3c.password will count the 
>>> number of failed checks. If you tell it to lock out an user 
>>> after, say, three failed attempts, you have a problem, as the 
>>> number of login page resources (thus requests) will quite 
>>> easily outnumber the maximum number of attempts.
>>> Questions: is anyone using this feature of z3c.password in 
>>> combination with the SessionCredentialsPlugin? If this is 
>>> working for you, do you have any idea what I am doing wrong 
>>> here? What type of authentication are the authors of 
>>> z3c.password using?
> R> Probably Adam can tell you more about that.
> R> One solution could be to offload your resources and 
> R> deliver them from Apache or Nginx Frontend.
> R> Regards
> R> Roger Ineichen
>>> Thanks for any insight here.
>>> regards,
>>> jw
>>> _______________________________________________
>>> Zope-Dev maillist  -
>>> **  No cross posts or HTML encoding!  ** (Related lists -  
>>> )
> R> _______________________________________________
> R> Zope-Dev maillist  -
> R>
> R> **  No cross posts or HTML encoding!  **
> R> (Related lists - 
> R>
> R> )
> -- 
> Best regards,
>  Adam GROSZER                  

Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to