[M-27] checkAndLockout window equals lockout duration (infinite burst possible)

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AuthController.php:808-813

Bug: Once lockout expires, counted failures also fall outside the window; exponential backoff never escalates.

Fix: Longer observation window (24h) separate from lockout duration.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:56pm

Resolved.

AuthController::checkAndLockout now uses a separate, longer observation window for counting historical failures (src/Controllers/AuthController.php):

  • New env: LOGIN_OBSERVE_MINUTES (default 1440 — 24h).
  • Old behaviour reused LOGIN_LOCKOUT_MINUTES for both observation and lockout, so a user could wait out the lockout and their prior failures aged out with it — the exponential backoff never actually escalated.

Now even if an attacker spaces 5 failures across a full 15-minute lockout and then waits it out, those 5 failures stay visible for 24h so the next lockout doubles in length per lockout_count.

Locking this thread.

Related Discussions

[H-15] checkAndLockout never called for non-existent usernames
Security Issues · 0 replies · 2 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy