| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 17695 | Bug reports | Authentication | public | 2021-11-04 09:23 | 2023-02-14 15:56 |
| Reporter | sdsAdm1n | Assigned To | gabrieljenik | ||
| Priority | none | Severity | partial_block | ||
| Status | closed | Resolution | duplicate | ||
| Product Version | 5.x | ||||
| Summary | 17695: Exceeding the number of maximum access code validation attempts | ||||
| Description | for one survey, if a participant provided a wrong token five times, a message showing "You have exceeded the number of maximum access code validation attempts. Please wait 10 minutes before trying again" appears and accordingly all participants for all active surveys became unable to access the surveys until the 10 minutes waiting time finish. not only the survey participants, but also admin users can't sign in until waiting time get finish. Similarly, if an admin user provided 3 wrong password attempts, all other users should wait 10 minutes to access. the rule should be applied to that particular user only not to all users. also, when this issue happened, survey participants will see a message saying please wait 10 minutes before trying again. however, if they provide a right token number, they will be able to access. | ||||
| Steps To Reproduce | Steps to reproduceActivate token-based survey. Expected resultAccess should be denied on that survey only and for that participant only (through ip address for example) Actual resultLS Access denied for all participants of all surveys as well as for admin users until after 10 minutes. | ||||
| Tags | No tags attached. | ||||
| Bug heat | 28 | ||||
| Complete LimeSurvey version number (& build) | 5.0.5+210621 | ||||
| I will donate to the project if issue is resolved | No | ||||
| Browser | Chrome | ||||
| Database type & version | MS SQL Server 2016 | ||||
| Server OS (if known) | Win Server 2019 | ||||
| Webserver software & version (if known) | IIS 10 | ||||
| PHP Version | 7.4 | ||||
 |
Hi, See feature https://bugs.limesurvey.org/view.php?id=17322 token : bot access : 1 seconds after 3 try is the best Do you think it's OK ? |
|
|
Need the " that survey only" part more. |
 |
I totally agree Denis, it should block from the specific IP only. |
|
|
@medhat : we can not block "THIS" token only . My opinion
|
 |
I'm using 3.x version behind a reverse proxy and behind kubernetes. |
|
|
HTTP_X_FORWARDED_FOR can be a comma separated list of IPv4 addresses. Maybe I can post a patch on this. Do you accept github Pull requests? More, on this, I would say the IP address can be easily faked with crafted http requests from an attacker. I wouldn't pay so much attention on this. |
|
|
I'm going to file my issues inside 17322 |
|
|
Yes, always
yes complex solution, but even solution based on fail2ban have such issue … |
 |
As per the comments, will be closing the ticket. Please add any comments in case it should be reopened. |
|
|
@gabrieljenik the the fix is applied for LS version 3, but we are facing the issue on LS version 5. any commendations? |
|
|
please ignore my last comment. i have version 5.3.8+220404 and I can see the new features under Global settings to control the behavior. will check on that. |
 |
a user just reported this same bug. 10min.png (14,208 bytes) |
|
|
@MSouad : please contact support@limesurvey.org too. |
