[Zope] Handling login failures

Håkan Johansson ignem at raintervention.se
Thu Jan 12 10:41:46 EST 2006


On Jan 11, 2006, at 17:37, Tino Wildenhain wrote:

> Håkan Johansson schrieb:
>> Hi everyone.
>> I want to be able to block a user from logging in if he fails to give 
>> the right login/password three times in a row. The problem is that I 
>> don't know how to do this.
>
> Because it isnt really possible/practicable at all with HTTP.
>
>> First, I need to know if an attempt failed. This, I have no idea how 
>> to do.
>> Second, I need to block the user without deleting him. One problem 
>> here is that the user can write different login names for the 
>> different login attempts. We have been thinking about blocking the 
>> offender's IP for 30 minutes or so and leave it at that. It seems to 
>> me that SiteAccess.AccessRule could be used for that, but I haven't 
>> looked much into it yet. The documentation is extremely light.
>
> And if the offender uses a proxy where your true user is also coming 
> from?
>> I have a very clean Zope 2.8.4 installation on a SuSE linux machine.
>> Logins are handled in the standard Zope way, nothing special added.
>> The Zope is running as a stand alone server, i.e. no Apache at all.
>> Another thing: How do I get Zope to log failed authentication 
>> attempts? Neither event.log or Z2.log shows anything. As Z2.log is 
>> the access log, I would have guessed that such things should be 
>> logged there. If not, where and how?
>
> You could "log" the Unauthorized - but this does not really help.
> You better use one of the pluggable auth folders (PAS, ExuserFolder 
> etc.)
> and bend them to your needs - maybe with a small memory pool for the
> counter/queue of failed login attempts.
>

I think I have found a solution. I will try to subclass UserFolder and 
override the authenticate method. If a user is not "blocked" from 
failing three times in a row, the original method is called to do the 
actual authentication.

Thanks for the help.



More information about the Zope mailing list