Issue 13427

Login to an existing account does not work for me ...

13427
Reporter: ahahn
Assignee: cvizitiu
Type: Bug
Summary: Login to an existing account does not work for me ...
Priority: Blocker
Resolution: Fixed
Status: Closed
Created: 2013-07-01 11:12:53.437
Updated: 2013-08-22 16:23:46.266
Resolved: 2013-08-22 16:23:46.235
        
        
Description: The protection against brute-force attacks of the login-form prevents the users from logging in even with a newly reset password; the text in the login form doesn't specify that there's an interdiction time window during the user can't login even with a reset password.

Steps to reproduce:

- on download input a valid username but a wrong password for more than 5 times in a row.
- use the provided link in the login form to request a new password
- use link from email, copy-paste saved password in both places, submit
- log out (top right), go to download, try to log in with username (from email) and password (copied)
=> even with a newly reset password the system error "Sorry, there have been more than 5 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password" persists.

*Reporter*: Andrea Hahn
*Editor*: Cip Vizitiu
*E-mail*: [mailto:ahahn]]]>
    


Author: omeyn@gbif.org
Comment: The problem is that the "locked because of 5x error" flag doesn't appear to clear, even after password reset. So password reset works, and auto-logs the user in, but if they log out again they'll get the "locked out because of 5x" again.
Created: 2013-07-01 15:13:19.684
Updated: 2013-07-01 15:13:19.684


Author: cvizitiu@gbif.org
Created: 2013-07-01 23:17:08.035
Updated: 2013-07-02 05:02:04.498
        
Logged in as admin; changed "oliver" account email to cvizitiu@gbif.org; requested a password reset; copy paste and then one time loged in; changed password to something known; log-out; login using the new credentials; works. :-o

Unless someone's willing to provide me his email credentials I honest to God can't reproduce this one! :-o




    


Author: omeyn@gbif.org
Comment: The key issue is the > 5x failure lockout. Try failing login 6x first. (I only did that with oliver3, not oliver)
Created: 2013-07-02 10:27:32.696
Updated: 2013-07-02 10:27:32.696


Author: cvizitiu@gbif.org
Comment: ... there, fixed the bug description so that it makes sense. :-|
Created: 2013-07-02 11:05:27.573
Updated: 2013-07-02 11:05:27.573


Author: cvizitiu@gbif.org
Created: 2013-07-02 11:09:58.284
Updated: 2013-07-02 11:10:34.662
        
"It's not a bug, it's a feature!"(TM) :-s

There's a and anti-flood mechanism in Drupal 7 which counts failed login attempts from a given IP address for a given account name. And yes, by "design", :-s even when using the newly reset password a user can not log-in until a certain amount of time has passed.

Suggested worarounds:

1. We increase the number of allowed attempts to something ridiculously high (e.g. 200)
2. We decrease the time window to something more palatable e.g. from 6h to 20 minutes.
3. We change the text to say "please contact helpdesk" in order to unblock your account.
4. A combination of the above?

Edit: Or we disable the brute force protection for the login form! =:-o
    


Author: mdoering@gbif.org
Comment: #2 & 3 sound good to me!
Created: 2013-07-02 11:14:56.663
Updated: 2013-07-02 11:14:56.663


Author: ahahn@gbif.org
Created: 2013-07-02 11:25:10.879
Updated: 2013-07-02 11:28:22.871
        
Who would helpdesk be, in that case? Not sure we can guarantee a response rate of <6h from there.

I would expect to get a slightly more elaborate check-it's-a-real-user mechanism in place with one of the next releases, similar to the current portal's feedback mechanism. At the present point, I think keeping the lock even if the user just went through a request-password-reset is a hassle that will backfire in that long login-discussion we are just going through. If we go for 2, there has to be a more informative message making clear that there is a time lapse, but I would very strongly plead to make the lapse so short as to be virtually not noticeable (1 min, if it cannot be completely disabled)
    


Author: mdoering@gbif.org
Created: 2013-07-02 12:16:19.538
Updated: 2013-07-02 12:16:19.538
        
Changed flood settings for drupaledit on jawa to flush the flood table every minute!

/**
 * Flood settings
*/
$conf['user_failed_login_ip_limit'] = 10;
$conf['user_failed_login_ip_window'] = 60;
$conf['user_failed_login_user_limit'] = 10;
$conf['user_failed_login_user_window'] = 60;
    


Author: trobertson@gbif.org
Created: 2013-08-19 12:05:32.88
Updated: 2013-08-19 12:05:32.88
        
Cip

I believe this is fixed. Please can you verify the settings still exist and then close the issue?