[Zope-dev] z3c.password and "failedAttempts" andSessionCredentialsPlugin

Roger dev at projekt01.ch
Mon Jan 18 18:16:38 EST 2010


Hi Jan

> Betreff: [Zope-dev] z3c.password and "failedAttempts" 
> andSessionCredentialsPlugin
> 
> Hi,
> 
> I'm looking into integrating z3c.password into an application 
> that also uses the PAU with the principal folder, 
> InternalPrincipals and the SessionCredentialsPlugin.
> 
> One of the features of z3c.password that I'd like to use is 
> locking out an user account after a number of failed login attempts. 
> z3c.password provides such a feature.
> 
> However, it seems this feature does not play well with the
> SessionCredentialsPlugin:
> 
> The SessionCredentials will store the login and password that 
> were submitted through the login form in a session. This 
> login/password combination then is checked against the 
> internal principal stored in the principal folder.
> 
> If the password is correct then (obviously) everything is fine.
> 
> When the password is incorrect, the user is directed back to 
> the login form as authentication failed. If the page with the 
> login form retrieves resources (like images or css of 
> javascript files) and since the zopepublication will _try_ to 
> authenticate every request, the wrongful login/password 
> combination is checked multiple times for that page and its 
> resources against the internal principal object.
> 
> The internal principal mixin of z3c.password will count the 
> number of failed checks. If you tell it to lock out an user 
> after, say, three failed attempts, you have a problem, as the 
> number of login page resources (thus requests) will quite 
> easily outnumber the maximum number of attempts.
> 
> Questions: is anyone using this feature of z3c.password in 
> combination with the SessionCredentialsPlugin? If this is 
> working for you, do you have any idea what I am doing wrong 
> here? What type of authentication are the authors of 
> z3c.password using?

Probably Adam can tell you more about that.

One solution could be to offload your resources and 
deliver them from Apache or Nginx Frontend.

Regards
Roger Ineichen

> Thanks for any insight here.
> regards,
> jw
> 
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev at zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  ** (Related lists -  
> https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope )
> 



More information about the Zope-Dev mailing list