<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
Marlon,<br>
<br>
You are doing a thorough job of this, thank you!<br>
<br>
I have fixed the bug(s) you described. It now behaves exactly as
expected, including the logging. This will be in the next release.<br>
<br>
As for the feature request, the current behaviour is by design.<br>
Someone nasty (a "bad actor" in the jargon) is using your ZendTo
site to brute-force break your password.<br>
They keep trying different passwords, but always get the same simple
"incorrect" response.<br>
They don't know ZendTo very well, and don't know your configuration
settings at all.<br>
As a result, they can't tell if or when they should give up trying
to break your username/password, and try some other username
instead.<br>
<br>
As soon as you display *anything* different, the attacker knows the
lock-out limit has been reached and so they should abandon their
current attempt and try another one.<br>
<br>
So you *never* give away any hints as to why the login attempt
failed, beyond a simple fixed error message.<br>
<br>
It logs it in the ZendTo log (/var/log/zendto/zendto.log is the file
that the "System Log" button shows you the end of), so you can check
there.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
P.S. The "start" and "expiry" date/time selectors on the "Request a
drop-off" form are nearly there. I just want to tidy up that page
design layout, it's a bit of a mess and I would prefer it to use a
grid or two and a flex box like the "new drop-off" form now does.<br>
<br>
<div class="moz-cite-prefix">On 21/07/2020 13:45, Marlon Deerr via
ZendTo wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!e77d92ba1db2d64e2566bde12aca80974b57b4cd5c53b32587b36194123f9181746e3a5a97665a8745fb8d589d9a7c6e!@mx.jul.es">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-CA">Hi Jules,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA">I was testing ZendTo. I
wanted to see what the log files will report when a user is
locked out after 10 unsuccessful login attempts. I noticed
that the log file (I think) is incorrectly reporting that a
user was not unlocked after administratively unlocking the
account, when in fact the user was successfully unlocked.
Here are the steps I performed.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">Purposely
attempted to log in as a user with incorrect password 10
times<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">Logged
in as an admin user and examined the System Logs<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">3.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">System
Log file successfully identified this locked user<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">4.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">Clicked
on “Unlock User” from the main screen and selected the user
to unlock and unlocked her<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">5.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">Examined
the System Logs again, but this time it said “<b>Failed to
unlock user $user as did not match usernameRegexp from
preferences.php</b>”<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">6.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">Logged
out as the administrator user<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">7.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">Tried
logged in as this “supposedly” locked user
<b>BUT</b> the login was successful.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA">Does this mean that the
System Log file is incorrectly reporting that the user was
not unlocked, when in fact the user was unlocked?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-CA">ALSO:</span></b><span
lang="EN-CA"> Feature Request (if possible)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA">When a user is
approaching the maximum allowed failed login attempts can
you include a message that<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">Warns
the user that you have x more attempts before you get locked
out (where x is a number)<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
lang="EN-CA"><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-CA">After
the user has failed to login after 10 attempts, instead of
just saying “Authentication Error. The username or password
was incorrect”, can it not say something like
“Authentication Error. You have attempted more than the
allowed failed attempts to log in. Your account therefore
has been locked. Please contact your administrator to have
it unlocked”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA">While testing this
feature above, I found that I was not keeping track of how
many times I made a failed login and must have tried over
and over again waiting for a message to let me now that I
was locked out. I think having such a message will help
reduce IT Tickets from staff wondering why they can’t log
in. They may not even know they have been locked out.<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
The current UK shipping forecast:
Trafalgar: Cyclonic 6 to gale 8 at first in southeast, otherwise northerly 5
to 7, becoming variable 3 or 4 in southeast. Moderate or rough, occasionally
very rough. Thundery showers. Good, occasionally poor.
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>