User auth limits.pl
Revision as of 08:40, 31 January 2022 by Drn@ecs.soton.ac.uk (talk | contribs) (Added previous user_password_maxlength.pl config into this config file.)
EPrints 3 Reference: Directory Structure - Metadata Fields - Repository Configuration - XML Config Files - XML Export Format - EPrints data structure - Core API - Data Objects
user_auth_limits.pl contains configuration that places limits on aspects of user authentication. It contains the following configuration options:
$c->{max_login_attempts?- Maximum number of failed login attempts before the account is locked. Default is 10.$c->{lockout_minutes}- How long an account is locked if there are too many failed login attempts. Default is 10 minutes.$c->{reset_request_recent_hours}- Number of hours before another password request email can be sent. Assuming the password was not reset by the previous email. This prevents users being incessantly spammed by unsolicited password reset emails. Default is 24 hours.$c->{max_account_requests}- Maximum number of accounts tht can be requested in a set period. Default is 100.$c->{max_account_requests_minutes}- Number of minutes for which no more than themax_account_requestscan be requested. Default is 60 minutes.$c->{password_maxlength}- The maximum number of characters that a password can have. Default is 200 characters. This is required to prevent malicious users typing in millions of characters for passwords and then trying to denial-of-service the repository whilst it try to hash them.
This file also contain an EP_TRIGGER_VALIDATE_FIELD trigger to test any secret fields (likely to be password fields) are not trying to set a password longer than $c->{password_maxlength}.
