I currently have the admin app configured to be only accessible from a single dynamic IP, however I intend to relax this a bit. Prior to doing so I tested the authentication methods by entering false passwords for admin several times. As expected my IP shows up in the hosts.deny file after several attempts, however once I enter the correct password the IP address is immediately removed from hosts.deny and I can login. It seems to me this kind of defeats the purpose of having a hosts.deny file. A work around solution could be to write a cron job that picks up the IP address from hosts.deny and block that IP, but the current set up in web2py surprises me. Is this the intent ?
Also the flash messages indicating that the account is blocked or that too many login attempts have been made seems not in line with security standards recommending no change in user messages once an account is blocked, where can I find the location to change these messages to a single consistent login failure message ? Kind regards, Tom -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
