[Zope-dev] z3c.password and "failedAttempts" andSessionCredentialsPlugin

Adam GROSZER agroszer at gmail.com
Sun Jan 24 05:12:55 EST 2010 

Hello Jan-Wijbrand,

Thinking this further, resource requests will have a '/@@/' (usually)
in their URL. So it might be an idea to skip those requests from
counting.

Tuesday, January 19, 2010, 10:43:43 AM, you wrote:

JWK> Adam GROSZER <agroszer at gmail.com> wrote:

JWK> Thank you for your reply!

>> Right. Well right now the lame solution is to try to count the number
>> of resources needed to load the page and multiply maxFailedAttempts by
>> that number.
>> Other than that you _will_ want to offload resources in production.

JWK> Oh, sure in _production_ I will. But what about testing and development. And
JWK> counting the number of resources is highly unpredictable - esp. as I'm working
JWK> on applications that can be easily skinned for different clients.

>> (An other idea could be to try to identify requests that are not for
>> resources, but how?)

JWK> There's no real way as far as I can tell :|

JWK> Even worse, if Zope were to handle one or more login page requisites, you can
JWK> easily get database write conflicts as multiple "simultaneous" requests will try
JWK> to increase the failed login attempts counter on the internal principal object.

JWK> Can I conclude this particular feature of z3c.password is not really in use by
JWK> anyone else (at least not in combination with the SessionCredentialsPlugin)?

JWK> regards,
JWK> jw

>> Tuesday, January 19, 2010, 12:16:38 AM, you wrote:
>>>> Betreff: [Zope-dev] z3c.password and "failedAttempts" 
>>>> andSessionCredentialsPlugin
>>>> 
>>>> Hi,
>>>> 
>>>> I'm looking into integrating z3c.password into an application 
>>>> that also uses the PAU with the principal folder, 
>>>> InternalPrincipals and the SessionCredentialsPlugin.
>>>> 
>>>> One of the features of z3c.password that I'd like to use is 
>>>> locking out an user account after a number of failed login attempts. 
>>>> z3c.password provides such a feature.
>>>> 
>>>> However, it seems this feature does not play well with the
>>>> SessionCredentialsPlugin:
>>>> 
>>>> The SessionCredentials will store the login and password that 
>>>> were submitted through the login form in a session. This 
>>>> login/password combination then is checked against the 
>>>> internal principal stored in the principal folder.
>>>> 
>>>> If the password is correct then (obviously) everything is fine.
>>>> 
>>>> When the password is incorrect, the user is directed back to 
>>>> the login form as authentication failed. If the page with the 
>>>> login form retrieves resources (like images or css of 
>>>> javascript files) and since the zopepublication will _try_ to 
>>>> authenticate every request, the wrongful login/password 
>>>> combination is checked multiple times for that page and its 
>>>> resources against the internal principal object.
>>>> 
>>>> The internal principal mixin of z3c.password will count the 
>>>> number of failed checks. If you tell it to lock out an user 
>>>> after, say, three failed attempts, you have a problem, as the 
>>>> number of login page resources (thus requests) will quite 
>>>> easily outnumber the maximum number of attempts.
>>>> 
>>>> Questions: is anyone using this feature of z3c.password in 
>>>> combination with the SessionCredentialsPlugin? If this is 
>>>> working for you, do you have any idea what I am doing wrong 
>>>> here? What type of authentication are the authors of 
>>>> z3c.password using?
>> 
>> R> Probably Adam can tell you more about that.
>> 
>> R> One solution could be to offload your resources and 
>> R> deliver them from Apache or Nginx Frontend.
>> 
>> R> Regards
>> R> Roger Ineichen
>> 
>>>> Thanks for any insight here.
>>>> regards,
>>>> jw
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Zope-Dev maillist  -  Zope-Dev at zope.org
>>>> https://mail.zope.org/mailman/listinfo/zope-dev
>>>> **  No cross posts or HTML encoding!  ** (Related lists -  
>>>> https://mail.zope.org/mailman/listinfo/zope-announce
>>>>  https://mail.zope.org/mailman/listinfo/zope )
>>>> 
>> 
>> R> _______________________________________________
>> R> Zope-Dev maillist  -  Zope-Dev at zope.org
>> R> https://mail.zope.org/mailman/listinfo/zope-dev
>> R> **  No cross posts or HTML encoding!  **
>> R> (Related lists - 
>> R>  https://mail.zope.org/mailman/listinfo/zope-announce
>> R>  https://mail.zope.org/mailman/listinfo/zope )
>> 
>> -- 
>> Best regards,
>>  Adam GROSZER                            mailto:agroszer at gmail.com
>> 


JWK> _______________________________________________
JWK> Zope-Dev maillist  -  Zope-Dev at zope.org
JWK> https://mail.zope.org/mailman/listinfo/zope-dev
JWK> **  No cross posts or HTML encoding!  **
JWK> (Related lists - 
JWK>  https://mail.zope.org/mailman/listinfo/zope-announce
JWK>  https://mail.zope.org/mailman/listinfo/zope )


-- 
Best regards,
 Adam GROSZER                            mailto:agroszer at gmail.com
--
Quote of the day:
Words are the voice of the heart.

More information about the Zope-Dev mailing list