I think is a good idea to have a setting to limit the number of times a user can check if username/email exists. That prevent unnecessary requests on db.

Comments

andrew m riley’s picture

Version: » 7.x-1.x-dev

I would agree, I've been toying around with the number to stop at. Ultimately I'll make it configureable but do you have any thoughts on a default number?

PedroMiguel’s picture

I think 15 is more than enough, even for a very large site. Ideal is to let site admin choose the number, if it takes a lot for you to code, just leave 15 as value and document people must change that value to have more/less attempts.

andrew m riley’s picture

Thats the rub. It will check once per second if something has changed. So if they type two letters per second that would mean they have a maxium of 30 letters to type before they get a flood deny.

I was thinking along the lines of 300 max requests durring a period and a maximum of 1 request per second.

andrew m riley’s picture

Assigned: Unassigned » andrew m riley

The initial flood limiting is now in the dev branch. Right now it's hardcoded to 300 but I plan on adding an admin page for that. I haven't tested if the update.php has implemented the schema for previously installed versions.

Things to note: If a user does hit the flood limit then the messages are removed and the timeout is cancelled. I need to do further testing on the two fields interacting.

andrew m riley’s picture

Status: Active » Fixed

Right now I'm leaving it in a constant at 300 (in tonights build). Marking this ticket as fixed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.