View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003189SOGoBackend Generalpublic2015-04-29 09:222015-08-10 13:32
ReporterJens Erat Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version2.2.17 
Summary0003189: Failed logins should not terminate open sessions
Description

After a given number of failed logins, a user is locked for some time span to prevent brute force attacks.

Currently, a user is logged out from existing sessions if this happens, which is unnecessary and allows deauthentication attacks.

Steps To Reproduce
  • Alice logs into her account
  • Eve runs multiple logins as Alice, until Alice's account is locked
  • Alice is logged out, as her whole account is locked, not only opening new sessions
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2015-04-29 09:22 Jens Erat New Issue