Date:  12/08/2009 11:08:58 AM Msg ID:  004072
From:  FoxWeb Support Thread:  004071
Subject:  Re: Auth.MaxLoginAttempts
The lockout feature is not based on failed attempts for a particular user id. FoxWeb keeps track of the number of failed attempts coming from the same session. The number of failed attempts is stored in a hidden session variable named "secLoginAttempts". If this number exceeds the maximum limit (configurable), login attempts are rejected, while the session is still alive.
 
This system can only thwart manual login attempts, using a conventional browser. A user can reset his own session, by simply restarting the browser. Of course, this takes time, making it impractical to try to guess even a weak password.
 
At the same time, a serious hacker would never try to manually type passwords in a form, but would rather create an automated application that would bombard a server with login requests. To prevent such attacks, FoxWeb introduces a short delay (~.5 seconds) after each failed login attempt. This delay is not long enough to be noticeable in a normal situation, but would make automated brute force attacks impractical too.
FoxWeb Support Team
support@foxweb.com email
Sent by cbjr on 12/08/2009 08:46:20 AM:

When using  Auth.MaxLoginAttempts, the following page displays:

Your workstation has been temporarily locked out of this application because too many failed login attempts were made.

What is the default time the workstation stays locked and can that time be changed?  

Also, how I do manually unlock the workstation so a user can log back in without having to wait?

Thanks.