1. IP allowlist is here for this
2. My opinon : best configuration for token are Maximum number of attempts: 1 and Lockout time in seconds (after maximum number of attempts): 1. Human didn't care (or see) the time out. But robot can not really use it.

Can close ?

for that participant only (through ip address for example)

It must be the case : same company ?

In fact, the people responding are external to the company. They are internet users, so each questionnaire is blocked, with the option to unblock the questionnaire in question after verifying the IP address that caused the block.

What's unfortunate is that the entire site is blocked for all questionnaires, even though one or two people made a mistake when entering the token.

It's blocked for THIS ip ? right ?

Maybe there are a proxy issue about IP ?

Hello,
Thanks to Denis for the information.
Indeed, the IP address that is blocked is that of the Internet server (due to a very specific network configuration).
The solution for blocking surveys on a single attempt, with a timeout of 10 seconds, seems very good to me, and I'm going to use it.

But the timeout message appears, indicating that you have to wait 0 minutes (whether you choose 1 second or 50, it's the same: the user won't know that they have to wait the specified number of seconds).

We still have the captcha that disappears after several unsuccessful errors: wait for the session to end or clear your browser cache.

We can close the bug, as it's a security measure (but it's surprising when all your surveys are inaccessible due to incorrect user input (who told them to use the link without the token... anyway).

Indeed, the IP address that is blocked is that of the Internet server (due to a very specific network configuration).

Do you have a way to get the original IP ?
See our system : https://github.com/LimeSurvey/LimeSurvey/blob/1d7e1ca80d8272b79976af431462ef0c1d6ba8ae/application/helpers/common_helper.php#L4613

The solution for blocking surveys on a single attempt, with a timeout of 10 seconds, seems very good to me, and I'm going to use it.

You must not use such solution if you have same IP for all users ...

See https://stackoverflow.com/a/916157/2239406

And about HTTP_CLIENT_IP : seesm unclear : if we get some 192.168.0.X : we must add it to $_SERVER['REMOTE_ADDR']. But need such Internet sharing to test :)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For#selecting_an_ip_address too