Users attempt_failed counter doesn't reset after successful login through API

XMLWordPrintable

    • Type: Defect (Security)
    • Resolution: Duplicate
    • Priority: Minor
    • None
    • Affects Version/s: 1.8.4
    • Component/s: API (A)
    • Environment:
      Debian lenny

      To reproduce the bug, follow these steps using API operations:

      • Try to log in with a wrong password five times (or ZBX_LOGIN_ATTEMPTS times if it's different)
      • Now try to log in with a correct password. You will receive an error: 'Account is blocked for X seconds'. This is the expected behaviour.
      • After those seconds, log in with the correct information.
      • At this point, the field attempt_failed in the table users for the row corresponding to that user should be reset to 0 (that's what happens when you log in through the PHP front-end), but it isn't.

      What's the effect of this? Once the counter has reached 5, that user can't log in, out and in again quickly. Maybe it's not a big deal but a programmer expects for the API the same behaviour as in the PHP front-end.

            Assignee:
            Unassigned
            Reporter:
            Jacobo Aragunde PĂ©rez
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: