New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login throttling #37266
Comments
Closing here as this is already part of #30914 |
Simply means nobody is working on it publicly. #30914 is a tracker issue grouping a ton of marginally related tasks to get security up to date. Once somebody picks it up the PR will be the tracker. |
I added the note because I was surprised there was no issue for it yet. |
There is no added value in this issue now - it's just reiterating the task in the tracker issue. If it would have been a full proposal with a screen of specs it would've been a different case, now it's just a duplicate. It should also be noted that #33558 added |
Yeah, I would recommend creating a listener on these events and storing a count in the session. We don't need to add this to the "legacy" security system. I think Laravel's |
This PR was squashed before being merged into the 5.2-dev branch. Discussion ---------- [Security] Added login throttling feature | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | Fix #37266 | License | MIT | Doc PR | tbd This "recreates" #37444 based on the RateLimiter component from #37546 <s>(commits are included in this branch atm)</s>. Login throttling can be enabled on any user-based authenticator (thanks to the `UserBadge`) with this configuration: ```yaml security: firewalls: default: # default limits to 5 login attempts per minute, the number can be configured via "max_attempts" login_throttling: ~ # or you can define your own RateLimiter on framework.rate_limiter and configure it instead: login_throttling: limiter: login ``` Commits ------- afdd805 [Security] Added login throttling feature
Implemented in 5.2. |
Thanks all! |
Hi :)
It would be great to have an option for the connection to limit the number of failed login attempts over a period of time.
Thanks :)
The text was updated successfully, but these errors were encountered: