18581: Blocking users after X failed attempts counts incorrectly (off by 1)

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

18581	Bug reports	Authentication	public	2023-01-04 11:04	2023-06-20 17:49

Reporter	ginosupport	Assigned To	ollehar
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	5.4.x

Summary	18581: Blocking users after X failed attempts counts incorrectly (off by 1)
Description	The setting to block users after X failed login attempts blocks the user after the X+2 attempts, i would have expected X+1. This is true for the username/password admin login and the survey participant tokens.
Steps To Reproduce	Steps to reproduce Log in as super user and go to security settings Configure max failed login attempts to some number X (doesn't matter which setting, the settings for admin users and for survey participant tokens behave the same) Try to log in with wrong credentials/participant token X + 1 times Expected result I expect the user to be locked out for the configured amount of time Actual result I can try 1 more time, i'm locked out after X + 2 incorrect login attempts.
Tags	No tags attached.

Bug heat	6
Complete LimeSurvey version number (& build)	5.4.15
I will donate to the project if issue is resolved	No
Browser
Database type & version	PostgreSQL
Server OS (if known)	RedHat Linux
Webserver software & version (if known)	Apache
PHP Version	7.4.x

User List	There are no users monitoring this issue.

ginosupport 2023-01-12 09:21 reporter ~73439	Actually, now that i've thought about it some more, i think it should even be locked after X attempts, not X+1 (so then it would be an off-by-2 issue). If i tell you you have 3 attempts at entering your password, it shouldn't block after the 4th attempt is wrong, right?

gabrieljenik 2023-01-12 13:58 manager ~73446	User is locked at X. It is being shown at X+1. I am pushing the solution in these days.

gabrieljenik 2023-01-16 17:28 manager ~73476	PR: https://github.com/LimeSurvey/LimeSurvey/pull/2846

guest 2023-02-16 12:02 viewer ~73847	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=34319

LimeSurvey: master e90b2b3f 2023-02-16 13:02 Gabriel Jenik Committer: GitHub Details Diff	Fixed Issue 18581: Blocking users after X failed attempts counts incorrectly (off by 1) (#2914) Co-authored-by: Lapiu Dev <devgit@lapiu.biz>	Affected Issues 18581
	mod - application/models/FailedLoginAttempt.php	Diff File
	add - tests/unit/models/FailedLoginAttemptTest.php	Diff File

Date Modified	Username	Field	Change
2023-01-04 11:04	ginosupport	New Issue
2023-01-04 12:14	ollehar	Priority	none => normal
2023-01-04 23:10	gabrieljenik	Assigned To	=> gabrieljenik
2023-01-04 23:10	gabrieljenik	Status	new => confirmed
2023-01-12 09:21	ginosupport	Note Added: 73439
2023-01-12 09:21	ginosupport	Bug heat	0 => 2
2023-01-12 13:58	gabrieljenik	Note Added: 73446
2023-01-12 13:58	gabrieljenik	Bug heat	2 => 4
2023-01-12 13:58	gabrieljenik	Status	confirmed => assigned
2023-01-16 17:28	gabrieljenik	Assigned To	gabrieljenik => DenisChenu
2023-01-16 17:28	gabrieljenik	Status	assigned => ready for code review
2023-01-16 17:28	gabrieljenik	Note Added: 73476
2023-01-17 09:59	DenisChenu	Assigned To	DenisChenu =>
2023-01-17 09:59	DenisChenu	Status	ready for code review => ready for testing
2023-01-17 17:13	gabrieljenik	Assigned To	=> ollehar
2023-01-17 17:13	gabrieljenik	Status	ready for testing => ready for merge
2023-02-16 12:02		Changeset attached	=> LimeSurvey master e90b2b3f
2023-02-16 12:02	guest	Note Added: 73847
2023-02-16 12:02	guest	Bug heat	4 => 6
2023-02-21 14:40	ollehar	Status	ready for merge => resolved
2023-02-21 14:40	ollehar	Resolution	open => fixed
2023-06-20 17:49	c_schmitz	Status	resolved => closed