Difference between revisions of "User auth limits.pl"

From EPrints Documentation
Jump to: navigation, search
(Added page about config file)
 
(Added previous user_password_maxlength.pl config into this config file.)
 
(2 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
'''user_auth_limits.pl''' contains configuration that places limits on aspects of user authentication.  It contains the following configuration options:
 
'''user_auth_limits.pl''' contains configuration that places limits on aspects of user authentication.  It contains the following configuration options:
* '''<code>max_login_attempts</code>''' - Maximum number of failed login attempts before the account is locked.  Default is 10.
+
* '''<code>$c->{max_login_attempts?</code>''' - Maximum number of failed login attempts before the account is locked.  Default is 10.
* '''<code>lockout_minutes</code>''' - How long an account is locked if there are too many failed login attempts.  Default is 10 minutes.
+
* '''<code>$c->{lockout_minutes}</code>''' - How long an account is locked if there are too many failed login attempts.  Default is 10 minutes.
* '''<code>reset_request_recent_hours</code>''' - Number of hours before another password request email can be sent.  Assuming the password was not reset by the previous email.  This prevents users being incessantly spammed by unsolicited password reset emails.  Default is 24 hours.
+
* '''<code>$c->{reset_request_recent_hours}</code>''' - Number of hours before another password request email can be sent.  Assuming the password was not reset by the previous email.  This prevents users being incessantly spammed by unsolicited password reset emails.  Default is 24 hours.
* '''<code>max_account_requests</code>''' - Maximum number of accounts tht can be requested in a set period.  Default is 100.
+
* '''<code>$c->{max_account_requests}</code>''' - Maximum number of accounts tht can be requested in a set period.  Default is 100.
* '''<code>max_account_requests_minutes</code>''' - Number of minutes for which no more than the <code>max_account_requests</code> can be requested.  Default is 60 minutes.
+
* '''<code>$c->{max_account_requests_minutes}</code>''' - Number of minutes for which no more than the <code>max_account_requests</code> can be requested.  Default is 60 minutes.
 +
* '''<code>$c->{password_maxlength}</code>''' - The maximum number of characters that a password can have.  Default is 200 characters.  This is required to prevent malicious users typing in millions of characters for passwords and then trying to denial-of-service the repository whilst it try to hash them.
 +
 
 +
This file also contain an '''<code>EP_TRIGGER_VALIDATE_FIELD</code>''' trigger to test any [[API:EPrints/MetaField/Secret|secret]] fields (likely to be password fields) are not trying to set a password longer than <code>$c->{password_maxlength}</code>.
 +
 
 +
[[Category:Authentication]]

Latest revision as of 08:40, 31 January 2022

EPrints 3 Reference: Directory Structure - Metadata Fields - Repository Configuration - XML Config Files - XML Export Format - EPrints data structure - Core API - Data Objects


Back to cfg.d

user_auth_limits.pl contains configuration that places limits on aspects of user authentication. It contains the following configuration options:

  • $c->{max_login_attempts? - Maximum number of failed login attempts before the account is locked. Default is 10.
  • $c->{lockout_minutes} - How long an account is locked if there are too many failed login attempts. Default is 10 minutes.
  • $c->{reset_request_recent_hours} - Number of hours before another password request email can be sent. Assuming the password was not reset by the previous email. This prevents users being incessantly spammed by unsolicited password reset emails. Default is 24 hours.
  • $c->{max_account_requests} - Maximum number of accounts tht can be requested in a set period. Default is 100.
  • $c->{max_account_requests_minutes} - Number of minutes for which no more than the max_account_requests can be requested. Default is 60 minutes.
  • $c->{password_maxlength} - The maximum number of characters that a password can have. Default is 200 characters. This is required to prevent malicious users typing in millions of characters for passwords and then trying to denial-of-service the repository whilst it try to hash them.

This file also contain an EP_TRIGGER_VALIDATE_FIELD trigger to test any secret fields (likely to be password fields) are not trying to set a password longer than $c->{password_maxlength}.