On Jan 11, 2006, at 17:37, Tino Wildenhain wrote:
Håkan Johansson schrieb:
I want to be able to block a user from logging in if he fails to give
the right login/password three times in a row. The problem is that I
don't know how to do this.
Because it isnt really possible/practicable at all with HTTP.
First, I need to know if an attempt failed. This, I have no idea how
Second, I need to block the user without deleting him. One problem
here is that the user can write different login names for the
different login attempts. We have been thinking about blocking the
offender's IP for 30 minutes or so and leave it at that. It seems to
me that SiteAccess.AccessRule could be used for that, but I haven't
looked much into it yet. The documentation is extremely light.
And if the offender uses a proxy where your true user is also coming
I have a very clean Zope 2.8.4 installation on a SuSE linux machine.
Logins are handled in the standard Zope way, nothing special added.
The Zope is running as a stand alone server, i.e. no Apache at all.
Another thing: How do I get Zope to log failed authentication
attempts? Neither event.log or Z2.log shows anything. As Z2.log is
the access log, I would have guessed that such things should be
logged there. If not, where and how?
You could "log" the Unauthorized - but this does not really help.
You better use one of the pluggable auth folders (PAS, ExuserFolder
and bend them to your needs - maybe with a small memory pool for the
counter/queue of failed login attempts.
I think I have found a solution. I will try to subclass UserFolder and
override the authenticate method. If a user is not "blocked" from
failing three times in a row, the original method is called to do the
Thanks for the help.
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -