Hello, Right. Well right now the lame solution is to try to count the number of resources needed to load the page and multiply maxFailedAttempts by that number. Other than that you _will_ want to offload resources in production.
(An other idea could be to try to identify requests that are not for resources, but how?) Tuesday, January 19, 2010, 12:16:38 AM, you wrote: R> Hi Jan >> Betreff: [Zope-dev] z3c.password and "failedAttempts" >> andSessionCredentialsPlugin >> >> Hi, >> >> I'm looking into integrating z3c.password into an application >> that also uses the PAU with the principal folder, >> InternalPrincipals and the SessionCredentialsPlugin. >> >> One of the features of z3c.password that I'd like to use is >> locking out an user account after a number of failed login attempts. >> z3c.password provides such a feature. >> >> However, it seems this feature does not play well with the >> SessionCredentialsPlugin: >> >> The SessionCredentials will store the login and password that >> were submitted through the login form in a session. This >> login/password combination then is checked against the >> internal principal stored in the principal folder. >> >> If the password is correct then (obviously) everything is fine. >> >> When the password is incorrect, the user is directed back to >> the login form as authentication failed. If the page with the >> login form retrieves resources (like images or css of >> javascript files) and since the zopepublication will _try_ to >> authenticate every request, the wrongful login/password >> combination is checked multiple times for that page and its >> resources against the internal principal object. >> >> The internal principal mixin of z3c.password will count the >> number of failed checks. If you tell it to lock out an user >> after, say, three failed attempts, you have a problem, as the >> number of login page resources (thus requests) will quite >> easily outnumber the maximum number of attempts. >> >> Questions: is anyone using this feature of z3c.password in >> combination with the SessionCredentialsPlugin? If this is >> working for you, do you have any idea what I am doing wrong >> here? What type of authentication are the authors of >> z3c.password using? R> Probably Adam can tell you more about that. R> One solution could be to offload your resources and R> deliver them from Apache or Nginx Frontend. R> Regards R> Roger Ineichen >> Thanks for any insight here. >> regards, >> jw >> >> >> >> _______________________________________________ >> Zope-Dev maillist - Zope-Dev@zope.org >> https://mail.zope.org/mailman/listinfo/zope-dev >> ** No cross posts or HTML encoding! ** (Related lists - >> https://mail.zope.org/mailman/listinfo/zope-announce >> https://mail.zope.org/mailman/listinfo/zope ) >> R> _______________________________________________ R> Zope-Dev maillist - Zope-Dev@zope.org R> https://mail.zope.org/mailman/listinfo/zope-dev R> ** No cross posts or HTML encoding! ** R> (Related lists - R> https://mail.zope.org/mailman/listinfo/zope-announce R> https://mail.zope.org/mailman/listinfo/zope ) -- Best regards, Adam GROSZER mailto:agros...@gmail.com -- Quote of the day: This is a good time to punt work. _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )