View Issue Details

IDProjectCategoryView StatusLast Update
13546Feature requestsSecuritypublic2018-03-29 19:38
ReporterOli4 Assigned To 
PrioritynoneSeverity@60@ 
Status newResolutionopen 
Summary13546: After entering 5 times wrong password from any user, all users are blocked for 10 minutes (even admin)
DescriptionAfter entering 5 times wrong password from any user (Survey admin), all users are blocked for 10 minutes (even admin). It's a security issue because almost everybody can block out everybody.
Steps To Reproducetry it
TagsNo tags attached.

Activities

Oli4

Oli4

2018-03-27 21:18

reporter   ~47241

It continues the time with every attempt
DenisChenu

DenisChenu

2018-03-28 08:11

developer   ~47242

With same IP adress, right ?

«maxLoginAttempt: This is the number of attempts a user has to enter the correct password before he or she gets her or his IP address blocked/locked out.»

https://manual.limesurvey.org/Optional_settings#Security
Oli4

Oli4

2018-03-28 09:00

reporter   ~47243

Yes, the Server is behind a proxy (as many Servers I guess). The problem is that ALL users are blocked out an not only the specific user that entered the password 5 times wrong.
c_schmitz

c_schmitz

2018-03-28 12:23

administrator   ~47259

This is probably more like a feature request. Just raise the number of login attempts.
Long term probably a whilelist would be needed.
DenisChenu

DenisChenu

2018-03-28 12:25

developer   ~47260

Whitelist can be easily done via Plugin (have one)
Oli4

Oli4

2018-03-29 19:38

reporter   ~47289

Why is it not possible or so difficult to block the ONLY the specific user who entered the wrong password several times and not the IP. Many/most servers are behind a reverse proxy and always see the same IP-address. In this state of arts, the whole system is blocked for all survey administrators.
Example: If I enter my Hotmail-Password wrong 10 times, the whole Hotmail-system would not be blocked for everybody, but only the account that I wanted to access with wrong password attempts will be blocked (same as GMX, ...).
For my opinion it is a security issue because everybody wo knows a survey admin's login can block the system for all admins.
Maybe we misunderstood.

Issue History

Date Modified Username Field Change
2018-03-27 21:00 Oli4 New Issue
2018-03-27 21:18 Oli4 Note Added: 47241
2018-03-28 08:11 DenisChenu Note Added: 47242
2018-03-28 09:00 Oli4 Note Added: 47243
2018-03-28 12:23 c_schmitz Note Added: 47259
2018-03-28 12:24 c_schmitz Project Bug reports => Feature requests
2018-03-28 12:25 DenisChenu Note Added: 47260
2018-03-29 19:38 Oli4 Note Added: 47289