Menu
▾
▴
[ phpshell-Feature Requests-3018011 ] Lock user after n failed attempts to log in.
|
From: SourceForge.net <no...@so...> - 2010-06-18 12:30:44
|
Feature Requests item #3018011, was opened at 2010-06-18 14:30 Message generated for change (Tracker Item Submitted) made by badda You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=3018011&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Priority: 5 Private: No Submitted By: Badda (badda) Assigned to: Nobody/Anonymous (nobody) Summary: Lock user after n failed attempts to log in. Initial Comment: Currently, passwords can be brute-forced by a remote attacker by trying to log in with guessed passwords until success. This can easily be prevented by introducing a (configurable) limit to the failed login attempts. After that, the user cannot log in anymore and a phpshell-admin must unlock the user (e.g. by editing a value the config.php-file) This would be my idea of implementing: - introduce new value in config.php [settings]-sectinf: max-login-attemps. Here the admin can specify the number of failed login-attemps after which the user is locked. - A number is recorded and kept for each user that states the current amount of failed logins - if this number is equal or larger than max-login-attemps the user cannot log in at all - this number is increased by one after each failed login-attempt for this user - this numer is set to zero after a successful login - after a successful or failed login, the number of failed login-attempts will be shown to the user This would new feature would greatly increase security of the script ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=3018011&group_id=156638 |
