When users are using a Drupal site from a site that does NAT they will all seem to come from the same IP. This can cause problems with the current implementation of flood control in user_login_authenticate_validate() – for example if a Drupal site is being used by a school it is very easy to end up with the school being blocked due to failed login attempts. With time I'd expect students to figure out that they could do this on purpose…

I'd like to see a list of "safe" IP addresses added to the flood control checks. These addresses would be the ones from which you're expecting significant numbers of users (e.g. the school) and would be subject to relaxed criteria for the flood checks (allow more failed logins, impose less of a wait time before allowing new attempts). The user name checks would remain the same.

Another nice feature would be to allow users to "subscribe" to the block message so that teachers or other staff members could know when their IP address was being blocked in real time.

It would also be very helpful to have the tuning parameters for flood control exposed in the configuration interface, perhaps at two levels one for overall tuning which would require administrator privileges and a second level for the "safe IP" controls that could be delegated (e.g. to a teacher or to IT staff).

#1 core-1851460-1-flood-control-tuning.patch2.81 KBdlu
PASSED: [[SimpleTest]]: [MySQL] 48,794 pass(es).
[ View ]


Status:Active» Needs review
new2.81 KB
PASSED: [[SimpleTest]]: [MySQL] 48,794 pass(es).
[ View ]

Here is a first step on this issue. This patch adds a section to the User Admin form for tuning the flood control parameters – not sure this is the right place for this, but I can't think of a better one right now. Should be easy to move if that proves necessary.