[Zope] Re: Handling login failures
Florent Guillaume
fg at nuxeo.com
Thu Jan 12 18:24:03 EST 2006
Håkan Johansson wrote:
> I want to be able to block a user from logging in if he fails to give
> the right login/password three times in a row.
You're aware that this allows anyone to trivially DoS your users, right?
If you take the precaution of matching with the IP, it still will harm
people logging in through corporate or ISP proxies. Which, admittedly,
may not be a problem in an intranet setting.
Florent
> The problem is that I don't know how to do this.
>
> First, I need to know if an attempt failed. This, I have no idea how to do.
>
> Second, I need to block the user without deleting him. One problem here
> is that the user can write different login names for the different login
> attempts. We have been thinking about blocking the offender's IP for 30
> minutes or so and leave it at that. It seems to me that
> SiteAccess.AccessRule could be used for that, but I haven't looked much
> into it yet. The documentation is extremely light.
>
>
> I have a very clean Zope 2.8.4 installation on a SuSE linux machine.
> Logins are handled in the standard Zope way, nothing special added.
> The Zope is running as a stand alone server, i.e. no Apache at all.
>
>
> Another thing: How do I get Zope to log failed authentication attempts?
> Neither event.log or Z2.log shows anything. As Z2.log is the access log,
> I would have guessed that such things should be logged there. If not,
> where and how?
--
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope
mailing list