View Issue Details

This bug affects 1 person(s).
IDProjectCategoryView StatusLast Update
18581Bug reportsAuthenticationpublic2023-02-21 14:40
Reporterginosupport Assigned Toollehar  
Status resolvedResolutionfixed 
Product Version5.4.x 
Summary18581: Blocking users after X failed attempts counts incorrectly (off by 1)

The setting to block users after X failed login attempts blocks the user after the X+2 attempts, i would have expected X+1. This is true for the username/password admin login and the survey participant tokens.

Steps To Reproduce

Steps to reproduce

  • Log in as super user and go to security settings
  • Configure max failed login attempts to some number X (doesn't matter which setting, the settings for admin users and for survey participant tokens behave the same)
  • Try to log in with wrong credentials/participant token X + 1 times

Expected result

I expect the user to be locked out for the configured amount of time

Actual result

I can try 1 more time, i'm locked out after X + 2 incorrect login attempts.

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)5.4.15
I will donate to the project if issue is resolvedNo
Database type & versionPostgreSQL
Server OS (if known)RedHat Linux
Webserver software & version (if known)Apache
PHP Version7.4.x

Users monitoring this issue

User List There are no users monitoring this issue.




2023-01-12 09:21

reporter   ~73439

Actually, now that i've thought about it some more, i think it should even be locked after X attempts, not X+1 (so then it would be an off-by-2 issue). If i tell you you have 3 attempts at entering your password, it shouldn't block after the 4th attempt is wrong, right?



2023-01-12 13:58

manager   ~73446

User is locked at X. It is being shown at X+1.
I am pushing the solution in these days.



2023-01-16 17:28

manager   ~73476




2023-02-16 12:02

viewer   ~73847

Fix committed to master branch:

Related Changesets

LimeSurvey: master e90b2b3f

2023-02-16 12:02:31

Gabriel Jenik

Committer: GitHub Details Diff
Fixed Issue 18581: Blocking users after X failed attempts counts incorrectly (off by 1) (#2914)

Co-authored-by: Lapiu Dev <>
Affected Issues
mod - application/models/FailedLoginAttempt.php Diff File
add - tests/unit/models/FailedLoginAttemptTest.php Diff File

Issue History

Date Modified Username Field Change
2023-01-04 11:04 ginosupport New Issue
2023-01-04 12:14 ollehar Priority none => normal
2023-01-04 23:10 gabrieljenik Assigned To => gabrieljenik
2023-01-04 23:10 gabrieljenik Status new => confirmed
2023-01-12 09:21 ginosupport Note Added: 73439
2023-01-12 09:21 ginosupport Bug heat 0 => 2
2023-01-12 13:58 gabrieljenik Note Added: 73446
2023-01-12 13:58 gabrieljenik Bug heat 2 => 4
2023-01-12 13:58 gabrieljenik Status confirmed => assigned
2023-01-16 17:28 gabrieljenik Assigned To gabrieljenik => DenisChenu
2023-01-16 17:28 gabrieljenik Status assigned => ready for code review
2023-01-16 17:28 gabrieljenik Note Added: 73476
2023-01-17 09:59 DenisChenu Assigned To DenisChenu =>
2023-01-17 09:59 DenisChenu Status ready for code review => ready for testing
2023-01-17 17:13 gabrieljenik Assigned To => ollehar
2023-01-17 17:13 gabrieljenik Status ready for testing => ready for merge
2023-02-16 12:02 Changeset attached => LimeSurvey master e90b2b3f
2023-02-16 12:02 guest Note Added: 73847
2023-02-16 12:02 guest Bug heat 4 => 6
2023-02-21 14:40 ollehar Status ready for merge => resolved
2023-02-21 14:40 ollehar Resolution open => fixed