webERP Forum

Full Version: Problems with account lockout implementation
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
The design of the account lockout functionality seems to be a little naive and in the worst case, exposes the application to potential denial of service, as well as potential exposure of valid accounts.

Since at least one account has a fixed username (admin) created at install time, there's a high probability that account will be in use and will be an admin account - possibly the only admin account.

I suggest a more flexible approach that will maintain security with reduced potential for DoS:

Limit attempts per IP and per session cookie to 5 unsuccessful attempts in 15 minutes. After 5 attempts, further attempts simply fail with the same error as they would with invalid username or password.

Limit attempts per username (and track this even if the username isn't valid so that it's not possible to infer which usernames correspond to accounts). Rather than locking the account out after 5 attempts, display a CAPTCHA before the user can log in. After 20 attempts, require a token code to be sent to the user's email for each attempt.

Well would be very silly to leave the admin account there IMHO as admin....
After 5 (or any number you can set in includes/ consequtive incorrect username password combos the account is blocked completely.
If the username is not even recognised you can keep on trying.

There are a lot of ways to do this - happy to incorporate any mods you submit.


option to give the name of the data base please suggest.
(11-07-2015, 06:42 PM)dezeni11 Wrote: [ -> ]option to give the name of the data base please suggest.

In config.php change the value of $AllowCompanySelectionBox to 'ShowInputBox'