When users are using a Drupal site from a site that does NAT they will all seem to come from the same IP. This can cause problems with the current implementation of flood control in user_login_authenticate_validate() – for example if a Drupal site is being used by a school it is very easy to end up with the school being blocked due to failed login attempts. With time I'd expect students to figure out that they could do this on purpose…

I'd like to see a list of "safe" IP addresses added to the flood control checks. These addresses would be the ones from which you're expecting significant numbers of users (e.g. the school) and would be subject to relaxed criteria for the flood checks (allow more failed logins, impose less of a wait time before allowing new attempts). The user name checks would remain the same.

Another nice feature would be to allow users to "subscribe" to the block message so that teachers or other staff members could know when their IP address was being blocked in real time.

It would also be very helpful to have the tuning parameters for flood control exposed in the configuration interface, perhaps at two levels one for overall tuning which would require administrator privileges and a second level for the "safe IP" controls that could be delegated (e.g. to a teacher or to IT staff).

Files: 
CommentFileSizeAuthor
#1 core-1851460-1-flood-control-tuning.patch2.81 KBdlu
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] Unable to apply patch core-1851460-1-flood-control-tuning.patch. Unable to apply patch. See the log in the details link for more information. View

Comments

dlu’s picture

Status: Active » Needs review
FileSize
2.81 KB
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] Unable to apply patch core-1851460-1-flood-control-tuning.patch. Unable to apply patch. See the log in the details link for more information. View

Here is a first step on this issue. This patch adds a section to the User Admin form for tuning the flood control parameters – not sure this is the right place for this, but I can't think of a better one right now. Should be easy to move if that proves necessary.

Status: Needs review » Needs work

The last submitted patch, 1: core-1851460-1-flood-control-tuning.patch, failed testing.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.