Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-16762

Add a lifespan to the authentication failures data

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 11.6-rc-1
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      Currently the data are never removed in case of authentication failure, except when the user managed to login.

      It means that by default if a user makes 3 mistakes in his password in less that 5 minutes and tries several hours later to authenticate again, he'll still have to enter a CAPTCHA.

      This looks a bit counter-productive, and can even be a problem in case of misconfigured component (cf https://forum.xwiki.org/t/captcha-not-being-displayed/5546/3)

      I propose to define a configurable lifespan for those data, and to only consider the threshold reached in the given lifespan.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                surli Simon Urli
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: