[Koha-bugs] [Bug 21190] GDPR: Log successful/unsuccessful login attempts

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190

--- Comment #3 from Vitor Fernandes <vfernandes at keep.pt> ---
(In reply to Marcel de Rooy from comment #2)
> How extensive is this requirement? Koha already allows you to lock accounts
> after x failed login attempts. Could this be considered as meeting this
> requirement already?
> 
> Testing the lockout feature I also noticed that the counter is being
> incremented too even if the account has been locked out. So each successful
> and each unsuccessful authentication triggers a database action. What would
> be the use of storing date, time and ip address additionally ?

Marcel, the account lockout after a number of failed login attempts is an
important enhancement but isn't what is requested by the requirement.

The application must log successful and unsuccessful authentication operations.
This can be done by modifying Auth.pm.
When the authentication fails we can add something like:

logaction("MEMBERS", "LOGIN", 0, "Login failed: ($userid) Invalid username or
password" ) if C4::Context->preference("BorrowersLog");

When the authentication is successful we can add something like:

my $login_info = sprintf "Login successful: (%s) %s %s - %s\n", map {
$session->param($_) } qw(cardnumber firstname surname branch);
logaction("MEMBERS", "LOGIN", $borrowernumber, $login_info ) if
C4::Context->preference("BorrowersLog");

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.