View Issue Details

This bug affects 2 person(s).
IDProjectCategoryView StatusLast Update
17695Bug reportsAuthenticationpublic2022-01-03 17:05
ReportersdsAdm1n Assigned To 
Status newResolutionopen 
Product Version5.x 
Summary17695: Exceeding the number of maximum access code validation attempts
Descriptionfor one survey, if a participant provided a wrong token five times, a message showing "You have exceeded the number of maximum access code validation attempts. Please wait 10 minutes before trying again" appears and accordingly all participants for all active surveys became unable to access the surveys until the 10 minutes waiting time finish. not only the survey participants, but also admin users can't sign in until waiting time get finish.

Similarly, if an admin user provided 3 wrong password attempts, all other users should wait 10 minutes to access. the rule should be applied to that particular user only not to all users. also, when this issue happened, survey participants will see a message saying please wait 10 minutes before trying again. however, if they provide a right token number, they will be able to access.
Steps To ReproduceSteps to reproduce
Activate token-based survey.
Call the token prompt screen.
Provide wrong token number five times.

Expected result
Access should be denied on that survey only and for that participant only (through ip address for example)

Actual result
LS Access denied for all participants of all surveys as well as for admin users until after 10 minutes.

TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)5.0.5+210621
I will donate to the project if issue is resolvedNo
Database type & versionMS SQL Server 2016
Server OS (if known)Win Server 2019
Webserver software & version (if known)IIS 10
PHP Version7.4


related to 17322 assignedDenisChenu Need different time and count for lock out access for token VS admin user 

Users monitoring this issue

User List medhat




2021-11-04 09:23


AdminScreen.png (48,197 bytes)   
AdminScreen.png (48,197 bytes)   
TokenScreen.png (34,242 bytes)   
TokenScreen.png (34,242 bytes)   


2021-11-04 10:47

developer   ~67109

Last edited: 2021-11-04 10:47

View 2 revisions

Currently stay in IP block seems the only solution (except with big big update).

See feature

token : bot access : 1 seconds after 3 try is the best
admin : 10 minutes is really better

Do you think it's OK ?


2021-11-04 10:48

developer   ~67110

Need the " that survey only" part more.


2021-11-08 05:57

reporter   ~67152

I totally agree Denis, it should block from the specific IP only.
This is a big problem as anybody can hack the survey by entering a wrong token few times and Voila, nobody will be able to participate!!


2021-11-08 08:52

developer   ~67162

@medhat : we can not block "THIS" token only .

My opinion

1. different time and count for lock out access for token VS admin user : IP block
2. Add survey id for token user (disable access for this IP for this survey, not other survey) : ?
3. Add admin user block by username

Issue History

Date Modified Username Field Change
2021-11-04 09:23 sdsAdm1n New Issue
2021-11-04 09:23 sdsAdm1n File Added: AdminScreen.png
2021-11-04 09:23 sdsAdm1n File Added: TokenScreen.png
2021-11-04 10:45 DenisChenu Relationship added related to 17322
2021-11-04 10:47 DenisChenu Note Added: 67109
2021-11-04 10:47 DenisChenu Bug heat 0 => 2
2021-11-04 10:47 DenisChenu Note Edited: 67109 View Revisions
2021-11-04 10:48 DenisChenu Note Added: 67110
2021-11-08 05:51 medhat Issue Monitored: medhat
2021-11-08 05:51 medhat Bug heat 2 => 4
2021-11-08 05:57 medhat Note Added: 67152
2021-11-08 05:57 medhat Bug heat 4 => 6
2021-11-08 05:57 guest Bug heat 6 => 12
2021-11-08 08:52 DenisChenu Note Added: 67162
2022-01-03 17:05 DenisChenu Category Accessibility => Authentication
2022-01-03 17:05 DenisChenu Description Updated View Revisions
2022-01-03 17:05 DenisChenu Steps to Reproduce Updated View Revisions