[TYPO3-core] Remove/Reduce forced delay on failed BE logins

Steffen Müller typo3 at t3node.com
Fri May 10 17:12:17 CEST 2013


Hi.

There is a delay of 5 seconds when the BE login fails.

LoginController::checkRedirect()
...
sleep(5);
...

http://forge.typo3.org/projects/typo3v4-core/repository/revisions/master/entry/typo3/sysext/backend/Classes/Controller/LoginController.php#L417

I'd like to get rid of that or reduce the number of seconds, because
a) IMHO waiting 5 seconds reduces usability
b) Test automation heavily slows down.

I know it is meant to slow down brute force attacks, but one could still
drive multiple attempts in parallel.

What's your opinion?
What do you think about the trade-off between security and
usability/testability?


-- 
cheers,
Steffen

TYPO3 Blog: http://www.t3node.com/
Twitter: @t3node - http://twitter.com/t3node


More information about the TYPO3-team-core mailing list