Hi,
Throttling protects against brute force, so the time you refresh the page
*manually* the throttling has been removed.
We have the exact same throttle conf. This conf allows 1 error per 2.5 seconds:
you must wait 2.5 after a failure otherwise it will be rejected.
Our integration tests this:
ah ok thank's
i understand now, I confused, I thought it was like a fail2ban, but it's a
rate limiting system!
but it's badly done, because if I set
cas.authn.throttle.failure.range-seconds=3600
cas.authn.throttle.failure.threshold=5
it does not block for 1 hour if I have 5 bad logins
So I have
Hi
It works, user can login if using wrong password
William
Le mer. 5 avr. 2023 à 23:56, Ray Bon a écrit :
> William,
>
> If the throttled user tries to log in after the page refresh, what happens?
>
> Ray
>
> On Wed, 2023-04-05 at 07:14 -0700, William Vincent (Wix31) wrote:
>
> Notice: This mes
Hi,
I'm now able to register my webauthn device, to login, and trust my device.
What I noticed is that the allowed-origins (device registering) property
and application-id extension (connect) seem now mandatory to me, (though it
was not in 6.5.9).
Without those two settings, I'm stuck.
w
