View Issue Details

IDProjectCategoryView StatusLast Update
0003891Composrcorepublic2020-01-27 20:02
ReporterChris GrahamAssigned To 
Status non-assignedResolutionopen 
Product Version 
Fixed in Version 
Summary0003891: Brute-force login attempt protection
DescriptionAdd options to protect against brute-force login attempts.

1) Maximum login frequency by IP address
2) Maximum login frequency (global)

The format would be...


e.g. 3/10,7/60,20/3600,30/86400

This means "Max 3 attempts within last 10 seconds, Max 7 attempts within last 60 seconds, Max 20 attempts within last hour, Max 30 attempts within last day".

The numbers on the default global setting would be much bigger. They are designed for DDOS protection (many users attempting login from the same IP address).

When a request is blocked it would be given a "429 Too Many Requests" header and an appropriate error message.

It would all work by keeping an elective-value recording all the IP addresses and timestamps for logins within the maximum number of seconds referenced in the option value (86400 in this example), in PHP-serialize format.
Blocked logins (blocked by this code) would not be included, in the recordings, to prevent the data exploding (a possible attack vector).
The check code would need to clean out old data.
TagsType: Security
Attach Tags
Time estimation (hours)4
Sponsorship open


Chris Graham

2020-01-27 20:02

administrator   ~0006311

Just noting that this feature is sometimes called "account lockout".

Issue History

Date Modified Username Field Change
2019-10-01 21:14 Chris Graham New Issue
2019-10-01 21:14 Chris Graham Tag Attached: Type: Security
2020-01-27 20:02 Chris Graham Note Added: 0006311