View Issue Details

This bug affects 2 person(s).
 12
IDProjectCategoryView StatusLast Update
17695Bug reportsAuthenticationpublic2022-01-03 17:05
ReportersdsAdm1n Assigned To 
PrioritynoneSeveritypartial_block 
Status newResolutionopen 
Product Version5.x 
Summary17695: Exceeding the number of maximum access code validation attempts
Descriptionfor one survey, if a participant provided a wrong token five times, a message showing "You have exceeded the number of maximum access code validation attempts. Please wait 10 minutes before trying again" appears and accordingly all participants for all active surveys became unable to access the surveys until the 10 minutes waiting time finish. not only the survey participants, but also admin users can't sign in until waiting time get finish.

Similarly, if an admin user provided 3 wrong password attempts, all other users should wait 10 minutes to access. the rule should be applied to that particular user only not to all users. also, when this issue happened, survey participants will see a message saying please wait 10 minutes before trying again. however, if they provide a right token number, they will be able to access.
Steps To ReproduceSteps to reproduce
------------------------------
Activate token-based survey.
Call the token prompt screen.
Provide wrong token number five times.

Expected result
-------------------------
Access should be denied on that survey only and for that participant only (through ip address for example)

Actual result
-----------------
LS Access denied for all participants of all surveys as well as for admin users until after 10 minutes.

TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)5.0.5+210621
I will donate to the project if issue is resolvedNo
BrowserChrome
Database type & versionMS SQL Server 2016
Server OS (if known)Win Server 2019
Webserver software & version (if known)IIS 10
PHP Version7.4

Relationships

related to 17322 assignedDenisChenu Need different time and count for lock out access for token VS admin user 

Users monitoring this issue

User List medhat

Activities

sdsAdm1n

sdsAdm1n

2021-11-04 09:23

reporter  

AdminScreen.png (48,197 bytes)   
AdminScreen.png (48,197 bytes)   
TokenScreen.png (34,242 bytes)   
TokenScreen.png (34,242 bytes)   
DenisChenu

DenisChenu

2021-11-04 10:47

developer   ~67109

Last edited: 2021-11-04 10:47

View 2 revisions

Hi,
Currently stay in IP block seems the only solution (except with big big update).

See feature https://bugs.limesurvey.org/view.php?id=17322

token : bot access : 1 seconds after 3 try is the best
admin : 10 minutes is really better

Do you think it's OK ?
DenisChenu

DenisChenu

2021-11-04 10:48

developer   ~67110

Need the " that survey only" part more.
medhat

medhat

2021-11-08 05:57

reporter   ~67152

I totally agree Denis, it should block from the specific IP only.
This is a big problem as anybody can hack the survey by entering a wrong token few times and Voila, nobody will be able to participate!!
DenisChenu

DenisChenu

2021-11-08 08:52

developer   ~67162

@medhat : we can not block "THIS" token only .

My opinion

1. different time and count for lock out access for token VS admin user : IP block
2. Add survey id for token user (disable access for this IP for this survey, not other survey) : ?
3. Add admin user block by username

Issue History

Date Modified Username Field Change
2021-11-04 09:23 sdsAdm1n New Issue
2021-11-04 09:23 sdsAdm1n File Added: AdminScreen.png
2021-11-04 09:23 sdsAdm1n File Added: TokenScreen.png
2021-11-04 10:45 DenisChenu Relationship added related to 17322
2021-11-04 10:47 DenisChenu Note Added: 67109
2021-11-04 10:47 DenisChenu Bug heat 0 => 2
2021-11-04 10:47 DenisChenu Note Edited: 67109 View Revisions
2021-11-04 10:48 DenisChenu Note Added: 67110
2021-11-08 05:51 medhat Issue Monitored: medhat
2021-11-08 05:51 medhat Bug heat 2 => 4
2021-11-08 05:57 medhat Note Added: 67152
2021-11-08 05:57 medhat Bug heat 4 => 6
2021-11-08 05:57 guest Bug heat 6 => 12
2021-11-08 08:52 DenisChenu Note Added: 67162
2022-01-03 17:05 DenisChenu Category Accessibility => Authentication
2022-01-03 17:05 DenisChenu Description Updated View Revisions
2022-01-03 17:05 DenisChenu Steps to Reproduce Updated View Revisions