Looking in http://api.drupal.org/api/drupal/modules%21user%21user.module/function/u... we can see that there a 2 kind of validations on user:

  1. Pure UID: Drupal validate only against user. This is the most strict.
  2. UID+IP: Drupal checks by this pair. This is used as it is safe enough but more practical because avoids locking out public users.

Drupal defaults to the second one. The purpose of this module is to unlock flood variables and let admins configure them.

Add also user_failed_login_identifier_uid_only to form.

Members fund testing for the Drupal project. Drupal Association Learn more

Comments

abautu’s picture

Status: Active » Needs review
FileSize
1020 bytes

Attaching a patch for this feature.

claudiu.cristea’s picture

Status: Needs review » Reviewed & tested by the community

rtbc

claudiu.cristea’s picture

Issue summary: View changes

Typo

crystaldawn’s picture

Issue summary: View changes

I think this is probably out of scope for this particular project, but it might make sense as a feature request for cbp (which uses this module here as a dependency for the flood settings themselves).

heddn’s picture

FileSize
1.25 KB

RTBC from me. It makes sense to expose the ability to configure the flood logging identifier in flood_control. However, attaching a re-roll to make things go easier. The current patch didn't want to apply cleanly.

joelpittet’s picture

RTBC++ thanks for fixing the patch. The trick looks like #1 forgot --relative flag when creating the patch inside their drupal site.

David_Rothstein’s picture

+    '#description' => t('When enabled, register failed login events based on the uid only, so they apply for any IP address. This is the most secure option.'),

Maybe it would be good to explain this in a way that explains both the pros and cons. For example, from the code comments in Drupal core about this, if you read both code comments you can get a sense of the relative pros/cons:

      if (variable_get('user_failed_login_identifier_uid_only', FALSE)) {
        // Register flood events based on the uid only, so they apply for any
        // IP address. This is the most secure option.
        $identifier = $account->uid;
      }
      else {
        // The default identifier is a combination of uid and IP address. This
        // is less secure but more resistant to denial-of-service attacks that
        // could lock out all users with public user names.
        $identifier = $account->uid . '-' . ip_address();
      }