I currently have the admin app configured to be only accessible from a single 
dynamic IP, however I intend to relax this a bit. Prior to doing so I tested 
the authentication methods by entering false passwords for admin several times. 
As expected my IP shows up in the hosts.deny file after several attempts, 
however once I enter the correct password the IP address is immediately removed 
from hosts.deny and I can login. It seems to me this kind of defeats the 
purpose of having a hosts.deny file. A work around solution could be to write a 
cron job that picks up the IP address from hosts.deny and block that IP, but 
the current set up in web2py surprises me. Is this the intent ?

Also the flash messages indicating that the account is blocked or that too many 
login attempts have been made seems not in line with security standards 
recommending no change in user messages once an account is blocked, where can I 
find the location to change these messages to a single consistent login failure 
message ?

Kind regards,

Tom

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to