id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
187	Brute force attack prevention	car031		"1)
Being able to stop or at least slow down brute force attach, by only allow i.e 5 login tryes from an IP address,
when you have tried 3-5 or any number of times whitout success the account should be disabled for instance 30 min.

You can do this by extending the account table in the DB to include:

    Last-unsuccesful-login : long date time
    Period-of-unsuccesful-tries: Integer
    Last-login-IP: String
    Max-Login-tries: byte
    Login-wait-time-in-min: integer

Then when you unsucessful try to login from Last-login-IP, Max-Login-tries times the account will be disabled Login-wait-time-in-min minutes.
if you login successful, it clears the entries..

 

The only downside to this is if you do a reverse proxy to you LogicalDoc you have the same IP, but that should
just be stated in the documentation..


2)
Be able to stop loggin on as admin unless he comes from the servers ip OR 127.0.0.1


3)
The username should not be restricted by any charaters or the following charaters should be the only not allowed:
[ ] : ; | = + ? < > * ""
This is the same as Microsoft is using.


4)
Allow all imported users(from LDAP) beeing disabled insted og enabled.

 
5)
Segregate the users in domains.
If you allow a fictive domain i.e MyCompnay, when you login you could sell the as a hoster, then you only
need to create a domain for the company which you are hosting the application for.

ex.
Login name: Gert
Password: Jensen
Domain: MS-Team"	new feature	closed	major	7.6.2	Core	6.3.4	fixed