SeedDMS Login Brute-force Protection

[Anonymous]

I saw there is a login failure threshold you can set before a user account lockout. The helper text in the settings says that it will "Disable account after n login failures".

Is this feature still supported? Even after setting this feature with a failure threshold of 3, the account doesn't get locked out after passing that limit.

Thanks.

[birduser]

On op.Login.php there is a little code during the authentication process which checks if the user is disabled

// Check if account is disabled
if($user->isDisabled()) {
_printMessage(getMLText("login_disabled_title"), getMLText("login_disabled_text"));
exit;
}

so i think this feature should be still supported. I Just found out, that if you try to login and it fails, the value "loginfailures" in MySQL DB table "tblUsers" doesnt count. Doesnt matter if you set a maximum login value or not. So there's a problem somwhere during the authentication process.

When typing the wrong password this little code in op.Login.php should raise the "loginfailures" value.

if($settings->_loginFailure) {
$failures = $user->addLoginFailure();
if($failures >= $settings->_loginFailure)
$user->setDisabled(true);
}

The Problem should be here or somwhere in the addLoginFailure function.

function addLoginFailure() in Core/inc.ClassUser.php

[Anonymous]

Well, glad it is not just me. Maybe I'll try to debug the issue.

[Uwe Steinmann]

It will be fixed in 4.3.5

[Anonymous]

Uwe, thanks!

I saw this fixed in the new release.