• Welcome to the Chevereto User Community!

    Here, users from all over the world come together to learn, share, and collaborate on everything related to Chevereto. It's a place to exchange ideas, ask questions, and help improve the software.

    Please keep in mind:

    • This community is user-driven. Always be polite and respectful to others.
    • Support development by purchasing a Chevereto license, which also gives you priority support.
    • Go further by joining the Community Subscription for even faster response times and to help sustain this space

Re: Chevereto v4.3.0 announcement

SunnyBlueSkies

SunnyBlueSkies

SunnyBlueSkies.com
Rodolfo said:
Added restricted password reset after repeated failures

In Chevereto v4.3.0, the password-forgot action is now subject to the same failure limits as login and signup. After a number of failed attempts (25 by default), further requests from the same IP are blocked. This helps prevent abuse of the password reset functionality. The restriction system is IP-based and can be extended to other actions—contributions and suggestions are welcome.
Click to expand...
What about flexibility and choice that perhaps a soft ban from the same IP in the event that the user error and truly wants to reset the password through this method but can't due to complications beyond their control.
 
@SunnyBlueSkies

The current default is 25 in 24H which is more than enough to cover all these edge cases. This is not a new request log system, is the exact same failed-request protection we have already enabled for other systems we just extend it to cover more system actions now.

I've been self-lock a few times while servicing installations with issues, but preventing the request-log system to do its thing never was part of the solution as it is a protection system, like a fence.
 
You must log in or register to reply here.
Back
Top