New in Symfony 5.2: Login Throttling

October 16, 2020 · Published by Avatar of Javier Eguiluz Javier Eguiluz

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Wouter De Jong

Contributed by
Wouter De Jong
in #38204.

A common brute-force attack against web applications consists of an attacker submitting a login form many times with the hope of eventually guessing the password of some user account.

One of the best countermeasures to these attacks is called "login throttling", which denies a user from attempting logins after a certain number of failed attempts. Thanks to the recently added RateLimiter component, Symfony 5.2 will provide login throttling out of the box.

First, make sure that you are using the new Authenticator-based Security. Then, add the following configuration to your firewall:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# config/packages/security.yaml
security:
    firewalls:
        default:
            # by default, the feature allows 5 login attempts per minute
            login_throttling: ~

            # configuring the maximum login attempts (per minute)
            login_throttling:
                max_attempts: 1

            # you can even use a custom rate limiter via its service ID
            login_throttling:
                limiter: app.my_login_rate_limiter

That's all. Next time an attacker tries to make too many login attempts, your Symfony application will start blocking them.

Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Wesley Abbenhuis
Wesley Abbenhuis said on Oct 16, 2020
Finally, thanks Wouter
Avatar of Sidi LEKHALIFA
Sidi LEKHALIFA said on Oct 16, 2020
Great!
Avatar of Erwan Nader
Erwan Nader said on Oct 16, 2020
Nice :)
Avatar of Oussama Ait Benalla
Oussama Ait Benalla said on Oct 16, 2020
That's What I'm Talking About
Avatar of Thibault Gattolliat
Thibault Gattolliat said on Oct 17, 2020
Nice !
Avatar of Art Hundiak
Art Hundiak said on Oct 17, 2020
Surprised to see that the rather violent term, throttling, was approved by the PCRC (Politically Correct Review Committee).
Avatar of Javier Eguiluz
Javier Eguiluz Certified said on Oct 17, 2020
I'm not native in English, but "throttle" to me is a common English word (e.g. is one of the car pedals). I haven't seen this word associated with violence ever, but I might be wrong.
Avatar of Ben Hakim
Ben Hakim said on Oct 18, 2020
Amazing!! I love it !

Now wish for 2fa :)
Avatar of Sylvain Combraque
Sylvain Combraque said on Dec 3, 2020
Other soft do that better and faster than PHP

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.