1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

make ip-check for failed logins an option

Discussion in 'XenForo Suggestions' started by Hoffi, Apr 8, 2015.

  1. Hoffi

    Hoffi Well-Known Member

    I don't want this feature.

    My Main Reason is, that in Germany many town councils share the same IP. Now, if you have many Users from a council, this blocking System may cause trouble.

    I really like many of your security funciotns, but this one really makes no sense for me.
    no6mis, mcatze, Alluidh and 3 others like this.
  2. whynot

    whynot Well-Known Member

    Are they trying to login with the same username?
  3. digitalpoint

    digitalpoint Well-Known Member

    It doesn't block them, just requires them to also use a captcha. Even if you have a ton of users from the same IP, how many are logging in (not just being on your site, as in typing their password) in the same 1 hour window and choosing the option to not stay logged in?
  4. Hoffi

    Hoffi Well-Known Member

    Maybe, of they share an account. This is possible. German councils are often working with shared accounts. And many councils share the same outgoing IP.
  5. digitalpoint

    digitalpoint Well-Known Member

    Even if they share an account... normally once you log in, you stay logged in. You can be logged in on 100 computers with the same IP if you wanted. So really would only be a problem if they all decided to log out and then log in fresh at the same time (within an hour), *and* a bunch of them used the wrong password. The login attempt counter only counts if they use the wrong username/password.

    They would all have to be logging in fresh (entering login/password) within a 30 minute window, rather than staying logged in. They would ALSO need to use the wrong login/password more than once. I'd say the chances of that happening multiple times in the short 30 minute window is pretty rare. And even *then*, the worst case scenario is they have to click the captcha button once (if you are using the "No CAPTCHA reCAPTCHA" option they don't even need to type anything to solve it).

    Truthfully, I think you might be worrying about something that will never happen to a legit user... like I said, they would have to be getting their password wrong multiple times while logging in fresh within a short window of time to even be presented with the captcha option.

Share This Page