[Zope-dev] z3c.password and "failedAttempts" and SessionCredentialsPlugin

[Jan-Wijbrand Kolman]

Hi,

I'm looking into integrating z3c.password into an application that 
also uses the PAU with the principal folder, InternalPrincipals and 
the SessionCredentialsPlugin.

One of the features of z3c.password that I'd like to use is locking 
out an user account after a number of failed login attempts. 
z3c.password provides such a feature.

However, it seems this feature does not play well with the 
SessionCredentialsPlugin:

The SessionCredentials will store the login and password that were 
submitted through the login form in a session. This login/password 
combination then is checked against the internal principal stored in 
the principal folder.

If the password is correct then (obviously) everything is fine.

When the password is incorrect, the user is directed back to the login 
form as authentication failed. If the page with the login form 
retrieves resources (like images or css of javascript files) and since 
the zopepublication will _try_ to authenticate every request, the 
wrongful login/password combination is checked multiple times for that 
page and its resources against the internal principal object.

The internal principal mixin of z3c.password will count the number of 
failed checks. If you tell it to lock out an user after, say, three 
failed attempts, you have a problem, as the number of login page 
resources (thus requests) will quite easily outnumber the maximum 
number of attempts.

Questions: is anyone using this feature of z3c.password in combination 
with the SessionCredentialsPlugin? If this is working for you, do you 
have any idea what I am doing wrong here? What type of authentication 
are the authors of z3c.password using?

Thanks for any insight here.
regards,
jw