Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-16762

Add a lifespan to the authentication failures data

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • None
    • 11.6-rc-1
    • Security
    • None
    • Unknown

    Description

      Currently the data are never removed in case of authentication failure, except when the user managed to login.

      It means that by default if a user makes 3 mistakes in his password in less that 5 minutes and tries several hours later to authenticate again, he'll still have to enter a CAPTCHA.

      This looks a bit counter-productive, and can even be a problem in case of misconfigured component (cf https://forum.xwiki.org/t/captcha-not-being-displayed/5546/3)

      I propose to define a configurable lifespan for those data, and to only consider the threshold reached in the given lifespan.

      Attachments

        Issue Links

          relates to

          New Feature - A new feature of the product, which has yet to be developed. XWIKI-15488 Limit number of login attempts until user is asked for a captcha

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-16763 Allow to reset an authentication failure record

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: