In MHO, while not permanently disabling accounts for failed logins may be desirable, this behaviour is not desirable for the admin interface. The default for the admin interface should be to permanently disable the account.
David E Jones wrote: > > > The reason for this (which is configuration in the security.properties > file, BTW, and is documented in the production setup guide) is that > repeated login attempts usually cause an account to be disabled, but > people usually don't want permanent disabling because of the internal/ > customer service headaches. Enabling after five minutes (and telling > the user that will happen) still makes brute-force password guessing > attacks pretty much impossible, but gives the user a way to get back > in without making a phone call. > > -David > > > On Jul 1, 2008, at 3:09 PM, Robert Volke wrote: > >> Wow, that did the trick. When I first saved the Enabled flag change >> to N, it automatically populated the disabled date, so I deleted >> this date and saved the change again. Now the disabled admin can no >> longer login. It looks like if you simply disable an account and >> leave the time stamp, it will automatically enable again in 5 >> minutes. I'm not sure why it does this, and I didn't see a way to >> change the end date for the disable so I'm going to inform my users >> to use this work around. >> >> Thank you for all of the help, >> Robert Volke >> >>>>> Bilgin Ibryam <bibr...@iguanait.com> 7/1/2008 3:53:22 PM >>> >> >> Hi Robert, >> >> try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. >> >> Bilgin >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p25314222.html Sent from the OFBiz - User mailing list archive at Nabble.com.
