Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Entering an email address to login wouldn't result in a blocked user account when the failed attempt limit was reached. Attached is a patch that will handle both.
Comment | File | Size | Author |
---|---|---|---|
#4 | login_security-email_or_username_input-1440536-4.patch | 2.15 KB | Delphine Lepers |
Comments
Comment #1
deekayen CreditAttribution: deekayen commentedWhat's the use case here? LoginToboggan?
Comment #2
deekayen CreditAttribution: deekayen commentedCategory change to feature.
Comment #3
Delphine Lepers CreditAttribution: Delphine Lepers commentedHi
Indeed when logintoboggan is installed, the module's behaviour is incorrect on attempts made on the email address, since it does not collate tries on the user name and tries on the email address.
It also never blocks attempts made using the email address, therefore open to bruteforce attacks.
The patch does the trick just fine as it sums up tries on email address and tries on username, blocking after 3.
Comment #4
Delphine Lepers CreditAttribution: Delphine Lepers commentedHere is a better patch that cleans the table for username and emails when the user is unblocked by an admin or has successfully logged in once.
Comment #5
deekayen CreditAttribution: deekayen commentedI'm not real thrilled about considering functionality changes that don't come with a 7.x patch, too.
Comment #6
AaronBaumannecro-post:
1. this persists into 7.x
2. at least some portion of this issue is a bug, per #184487: Message containing remaining login attempts, because the existing messaging doesn't make sense for users trying to login to nonexistent accounts.