A common brute-force attack against web applications consists of an attacker submitting a login form many times with the hope of eventually guessing the password of some user account.
One of the best countermeasures to these attacks is called "login throttling", which denies a user from attempting logins after a certain number of failed attempts. Thanks to the recently added RateLimiter component, Symfony 5.2 will provide login throttling out of the box.
First, make sure that you are using the new Authenticator-based Security. Then, add the following configuration to your firewall:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
# config/packages/security.yaml
security:
firewalls:
default:
# by default, the feature allows 5 login attempts per minute
login_throttling: ~
# configuring the maximum login attempts (per minute)
login_throttling:
max_attempts: 1
# you can even use a custom rate limiter via its service ID
login_throttling:
limiter: app.my_login_rate_limiterThat's all. Next time an attacker tries to make too many login attempts, your Symfony application will start blocking them.
Published in
#Living on the edge
Finally, thanks Wouter
Great!
Nice :)
That's What I'm Talking About
Nice !
Surprised to see that the rather violent term, throttling, was approved by the PCRC (Politically Correct Review Committee).
I'm not native in English, but "throttle" to me is a common English word (e.g. is one of the car pedals). I haven't seen this word associated with violence ever, but I might be wrong.
Amazing!! I love it !
Now wish for 2fa :)
Other soft do that better and faster than PHP