Please limit user registrations to 1 per 24 hours.
Sorry, I mixed this up. It should be log-in rate limiting, not sure about the way to do this though. It should limit the attacker, and not shut out the legitimate user.
Summary: rate limit user registrations. → rate limit log-in attempts
I am sure I sometimes log in more than once in 24 hours. Sometimes from different machines or OS accounts. I somehow doubt I am not the only legitimate poster who would apparently be prevented from posting by this bug.
(In reply to John Hesling [:John99] from comment #3) > I am sure I sometimes log in more than once in 24 hours. Sometimes from > different machines or OS accounts. > > I somehow doubt I am not the only legitimate poster who would apparently be > prevented from posting by this bug. Pretty sure this is about rate-limiting *attempts* which I think really is about failures and not successes. If that's true, then this shouldn't affect you.
1 per 24 hours seems very aggressive to me, and I re-iterate Will's question: why? What do we have that indicates this will help? Additionally, what mechanism would we use to identify correlated login attempts? We could use the user account that you are attempting to log in to, but that doesn't the problem that I guess you are trying to solve (and I have to guess, since you didn't provide that information). We could use the IP address, but this is going to have severe issues for people who share IP addresses (see: Mozilla Offices).
Pretty sure what we want to do here is limit to something that only a brute-force password-guessing script would hit. Maybe 100 fails per day?
We decided to use a 3rd party library that protects our login form against many fail attempts. After 10 login failures, the IP address will be locked out. After an hour, the lockout will expire. The pull request: https://github.com/mozilla/kitsune/pull/1840 Landed on master: https://github.com/mozilla/kitsune/commit/5a526f0c9a34f29c1ce885b387b7419774d1c0ed https://github.com/mozilla/kitsune/commit/1a59ed6cc4015eef8792db237f0d87c815049238 I've deployed to prod now.
Assignee: nobody → rrosario
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
To be sure, I suggested 1 per 24 hours when I was confused about the issue we were trying to solve, not for actual log-in attempts. The info in comment #7 seems just fine to me.
You need to log in before you can comment on or make changes to this bug.