https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #2 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Vitor Fernandes from comment #0)
*** Requirement description ***
The application MUST log successful and unsuccessful authentication operations. This is useful, for example, to detect that a user account is being hacked.
How extensive is this requirement? Koha already allows you to lock accounts after x failed login attempts. Could this be considered as meeting this requirement already? Testing the lockout feature I also noticed that the counter is being incremented too even if the account has been locked out. So each successful and each unsuccessful authentication triggers a database action. What would be the use of storing date, time and ip address additionally ? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.