I have added login throttling to my symfony app.
If I try to log in 5 times in a row in the same minute with invalid credentials I have a TooManyLoginAttemptsAuthenticationException in the onAuthenticationFailure method of my authentificator, so far so good.
But if I try to login with correct credentials in the same minute after the TooManyLoginAttemptsAuthenticationException I was expecting to have the same error but I'm actually successfully logged in.
Am I missing Something ?
My security.yaml :
security:
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
ldap:
id: App\Security\LdapUserProvider
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\Utilisateur
property: nni
encoders:
App\Entity\Utilisateur:
algorithm: 'auto'
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
access_control:
- { path: ^/get_team_email$, roles: PUBLIC_ACCESS }
- { path: ^/login$, roles: PUBLIC_ACCESS }
- { path: ^/login_check$, roles: PUBLIC_ACCESS }
- { path: ^, roles: ROLE_USER}
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
security: true
provider: '%connexion_provider%'
entry_point: App\Security\LdapFormAuthenticator
logout:
path: /logout
success_handler: app.logout.success.handler
# configuring the maximum login attempts (per minute)
login_throttling:
max_attempts: 3
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#firewalls-authentication
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
guard:
authenticators:
- App\Security\LdapFormAuthenticator
form_login:
use_forward: true
login_path: login
check_path: login
As you can see in the source code of the throttling handler, the limiter is reset on successful logins. It solely kicks in on three succeeding failing login attempts (where that 3 has been defined in your own configuration)