Thinking this further, resource requests will have a '/@@/' (usually)
in their URL. So it might be an idea to skip those requests from
Tuesday, January 19, 2010, 10:43:43 AM, you wrote:
JWK> Adam GROSZER <agros...@gmail.com> wrote:
JWK> Thank you for your reply!
>> Right. Well right now the lame solution is to try to count the number
>> of resources needed to load the page and multiply maxFailedAttempts by
>> that number.
>> Other than that you _will_ want to offload resources in production.
JWK> Oh, sure in _production_ I will. But what about testing and development.
JWK> counting the number of resources is highly unpredictable - esp. as I'm
JWK> on applications that can be easily skinned for different clients.
>> (An other idea could be to try to identify requests that are not for
>> resources, but how?)
JWK> There's no real way as far as I can tell :|
JWK> Even worse, if Zope were to handle one or more login page requisites, you
JWK> easily get database write conflicts as multiple "simultaneous" requests
JWK> to increase the failed login attempts counter on the internal principal
JWK> Can I conclude this particular feature of z3c.password is not really in
JWK> anyone else (at least not in combination with the
>> Tuesday, January 19, 2010, 12:16:38 AM, you wrote:
>>>> Betreff: [Zope-dev] z3c.password and "failedAttempts"
>>>> I'm looking into integrating z3c.password into an application
>>>> that also uses the PAU with the principal folder,
>>>> InternalPrincipals and the SessionCredentialsPlugin.
>>>> One of the features of z3c.password that I'd like to use is
>>>> locking out an user account after a number of failed login attempts.
>>>> z3c.password provides such a feature.
>>>> However, it seems this feature does not play well with the
>>>> The SessionCredentials will store the login and password that
>>>> were submitted through the login form in a session. This
>>>> login/password combination then is checked against the
>>>> internal principal stored in the principal folder.
>>>> If the password is correct then (obviously) everything is fine.
>>>> When the password is incorrect, the user is directed back to
>>>> the login form as authentication failed. If the page with the
>>>> login form retrieves resources (like images or css of
>>>> authenticate every request, the wrongful login/password
>>>> combination is checked multiple times for that page and its
>>>> resources against the internal principal object.
>>>> The internal principal mixin of z3c.password will count the
>>>> number of failed checks. If you tell it to lock out an user
>>>> after, say, three failed attempts, you have a problem, as the
>>>> number of login page resources (thus requests) will quite
>>>> easily outnumber the maximum number of attempts.
>>>> Questions: is anyone using this feature of z3c.password in
>>>> combination with the SessionCredentialsPlugin? If this is
>>>> working for you, do you have any idea what I am doing wrong
>>>> here? What type of authentication are the authors of
>>>> z3c.password using?
>> R> Probably Adam can tell you more about that.
>> R> One solution could be to offload your resources and
>> R> deliver them from Apache or Nginx Frontend.
>> R> Regards
>> R> Roger Ineichen
>>>> Thanks for any insight here.
>>>> Zope-Dev maillist - Zope-Dev@zope.org
>>>> ** No cross posts or HTML encoding! ** (Related lists -
>>>> https://mail.zope.org/mailman/listinfo/zope )
>> R> _______________________________________________
>> R> Zope-Dev maillist - Zope-Dev@zope.org
>> R> https://mail.zope.org/mailman/listinfo/zope-dev
>> R> ** No cross posts or HTML encoding! **
>> R> (Related lists -
>> R> https://mail.zope.org/mailman/listinfo/zope-announce
>> R> https://mail.zope.org/mailman/listinfo/zope )
>> Best regards,
>> Adam GROSZER mailto:agros...@gmail.com
JWK> Zope-Dev maillist - Zope-Dev@zope.org
JWK> ** No cross posts or HTML encoding! **
JWK> (Related lists -
JWK> https://mail.zope.org/mailman/listinfo/zope )
Adam GROSZER mailto:agros...@gmail.com
Quote of the day:
Words are the voice of the heart.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -