Security? Correct way to LOG or RESTRICT login attempts

ab042 · Post by **ab042** » Thu Aug 03, 2006 4:36 am

I've been playing with the LOGIN process and I'm unable to find a way to restrict login attempts. In fact I can't find a way to even see or catch when an attempt is made to login with an invalid user or password.

This is a major security issue and I'm sure since I am new that I'm missing something.

Can someone point me in the correct direction, please.

aware_support · Post by **aware_support** » Thu Aug 03, 2006 7:32 am

This level of security is currently not supported in Aware IM. Multiple login attempts, smart card logins, biometrics etc are not there yet.

If this is a major issue for you we can provide a module that will allow you to intercept login attempts and prevent multipe logins in whatever way you see fit (you will need to write code for this in Java or JSP).

Hubertus · Post by **Hubertus** » Thu Aug 03, 2006 9:46 am

in order to avoid brute force attacks for gaining access an IMO quick way would be to implement a delay of a few seconds after a failed login attempt.

ab042 · Post by **ab042** » Thu Aug 03, 2006 1:22 pm

I have no problem with paying you to write a module. Could you send me a private message or a private email on who and how to get this done.

I believe a simple fix in the current code would be to fire the LoginNotification routine on invaild login attempts and we could write our own logic on what we want or don't want to allow?

aware_support · Post by **aware_support** » Fri Aug 04, 2006 4:44 am

We have sent you a private e-mail about this.

aware_support · Post by **aware_support** » Wed Aug 09, 2006 3:29 am

Starting from build 858 there is a new functionality that allows defining LoginAttemptNotification that is fired when a user unsuccessfully attempts to login. His IP address is recorded in the notification.