login attempts

Archived from the Xataface Users forum.

samhans — Sun Mar 25, 2012 10:22 am

hai Steve and all,

can any body suggest me that how could i lock a user from login after three consecutive unsuccessful attempts .

thanks in advance

---

shannah — Sun Mar 25, 2012 4:04 pm

Xataface already does this but it is more than 3 attempts. It is done by up address.

---

samhans — Sun Mar 25, 2012 6:31 pm

Steve,
by address means ip address . by the way thanks.

---

samhans — Mon Mar 26, 2012 9:13 am

Steve i tried in one of my application by giving three wrong passwords but fourth time i am able to log in

how does the lock out occurs.?

---

shannah — Mon Mar 26, 2012 9:22 am

It is set to 20 attempts within a 30 minute window. If you have 20 failed attempts (without a successful attempt) within 30 minutes from the same IP address, that IP address will be locked for 30 minutes.

When the feature was first implemented it was set to 5, but this caused problems for applications where all the users are connecting from the same IP address. This was much more common than I thought. In this scenario, you could have 5 people type in wrong passwords and that would lock everyone out for 30 minutes. Increasing the limit to 20 still stops bots from incessantly hitting the application with different passwords, while not causing problems for regular users.

The code is found in the isLockedOut() method of the Dataface_AuthenticationTool class if you want to see the logic.
-Steve