[FEATURE] Introduce rate limiter for failed logins
The PHP library `symfony/rate-limiter` has been integrated in order to provide a rate limiting API for the TYPO3 core and extensions. As a new system default, the TYPO3 backend and frontend login now uses a rate limiter, which prevents further authentication attempts for an IP address, if a configurable amount of login attempts is exceeded in a given time. The hardcoded wait time of 5 seconds after a failed login has been removed, since it offers no real protection against brute force attacks. The following dependencies are introduced: * symfony/rate-limiter "^5.3" Resolves: #93825 Releases: master Change-Id: Ib248b78b501a4d50556aa97938f4c51f12f7522a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68624 Tested-by:core-ci <typo3@b13.com> Tested-by:
Jochen <rothjochen@gmail.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
Jochen <rothjochen@gmail.com> Reviewed-by:
Benni Mack <benni@typo3.org>
... | ... | @@ -73,6 +73,7 @@ |
"symfony/polyfill-mbstring": "^1.2", | ||
"symfony/property-access": "^5.3.0", | ||
"symfony/property-info": "^5.3.0", | ||
"symfony/rate-limiter": "^5.3", | ||
"symfony/routing": "^5.3.0", | ||
"symfony/var-dumper": "^5.3.0", | ||
"symfony/yaml": "^5.3.0", | ||
... | ... |