feature #64118 [Security] Revert "Add per-username login rate-limit to prevent brute-force attacks" (wouterj)

nicolas-grekas · nicolas-grekas · commit 8e8f87c6fa5f · 2026-05-04T22:22:44.000+02:00
This PR was merged into the 8.1 branch. Discussion ---------- [Security] Revert "Add per-username login rate-limit to prevent brute-force attacks" | Q | A | ------------- | --- | Branch? | 8.1 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | Reverts #64104 | License | MIT Read #61932 (comment) for the reasoning. Commits ------- ef7291c Revert "feature #64104 [Security] Add per-username login rate-limit to prevent brute-force attacks (ayyoub-afwallah)"
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
@@ -76,16 +76,13 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             ];
             $this->registerRateLimiter($container, $localId = '_login_local_'.$firewallName, $limiterOptions);
 
-            $this->registerRateLimiter($container, $usernameId = '_login_username_'.$firewallName, $limiterOptions);
-
             $limiterOptions['limit'] = 5 * $config['max_attempts'];
             $this->registerRateLimiter($container, $globalId = '_login_global_'.$firewallName, $limiterOptions);
 
             $container->register($config['limiter'] = 'security.login_throttling.'.$firewallName.'.limiter', DefaultLoginRateLimiter::class)
                 ->addArgument(new Reference('limiter.'.$globalId))
                 ->addArgument(new Reference('limiter.'.$localId))
                 ->addArgument(new Parameter('container.build_hash'))
-                ->addArgument(new Reference('limiter.'.$usernameId))
             ;
         }
 
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -8,7 +8,6 @@ CHANGELOG
  * Add `this` to `#[IsGranted]` subject expression variables when available
  * Add support for closures and `this` in `#[IsCsrfTokenValid]` when evaluating its `id`
  * Deprecate the `$eraseCredentials` argument of `AuthenticatorManager::__construct()`, as the `eraseCredentials()` method was removed in Symfony 8.0
- * Add a per-username rate limit to `DefaultLoginRateLimiter` to prevent brute-force attacks from multiple IPs targeting a single account
 
 8.0
 ---
diff --git a/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php b/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
@@ -20,11 +20,8 @@
 /**
  * A default login throttling limiter.
  *
- * This limiter prevents breadth-first and distributed brute-force attacks by
- * enforcing three limits in sequence:
- *   1. IP only (global): blocks wide scans from a single IP;
- *   2. username + IP (local): blocks targeted attacks from a single IP;
- *   3. username only: blocks distributed botnet attacks across many IPs.
+ * This limiter prevents breadth-first attacks by enforcing
+ * a limit on username+IP and a (higher) limit on IP.
  *
  * @author Wouter de Jong <wouter@wouterj.nl>
  */
@@ -37,7 +34,6 @@ public function __construct(
         private RateLimiterFactory $globalFactory,
         private RateLimiterFactory $localFactory,
         #[\SensitiveParameter] private string $secret,
-        private ?RateLimiterFactory $usernameFactory = null,
     ) {
         if (!$secret) {
             throw new InvalidArgumentException('A non-empty secret is required.');
@@ -49,16 +45,10 @@ protected function getLimiters(Request $request): array
         $username = $request->attributes->get(SecurityRequestAttributes::LAST_USERNAME, '');
         $username = preg_match('//u', $username) ? mb_strtolower($username, 'UTF-8') : strtolower($username);
 
-        $limiters = [
+        return [
             $this->globalFactory->create($this->hash($request->getClientIp())),
             $this->localFactory->create($this->hash($username.'-'.$request->getClientIp())),
         ];
-
-        if (null !== $this->usernameFactory) {
-            $limiters[] = $this->usernameFactory->create($this->hash($username));
-        }
-
-        return $limiters;
     }
 
     private function hash(string $data): string
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php
@@ -35,25 +35,19 @@ protected function setUp(): void
     {
         $this->requestStack = new RequestStack();
 
-        $globalLimiter = new RateLimiterFactory([
-            'id' => 'login',
-            'policy' => 'fixed_window',
-            'limit' => 6,
-            'interval' => '1 minute',
-        ], new InMemoryStorage());
         $localLimiter = new RateLimiterFactory([
             'id' => 'login',
             'policy' => 'fixed_window',
             'limit' => 3,
             'interval' => '1 minute',
         ], new InMemoryStorage());
-        $usernameLimiter = new RateLimiterFactory([
+        $globalLimiter = new RateLimiterFactory([
             'id' => 'login',
             'policy' => 'fixed_window',
-            'limit' => 3,
+            'limit' => 6,
             'interval' => '1 minute',
         ], new InMemoryStorage());
-        $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter, '$3cre7', $usernameLimiter);
+        $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter, '$3cre7');
 
         $this->listener = new LoginThrottlingListener($this->requestStack, $limiter);
     }
@@ -90,25 +84,6 @@ public function testPreventsLoginWithMultipleCase()
         $this->listener->checkPassport($this->createCheckPassportEvent($passports[0]));
     }
 
-    public function testPreventsLoginWhenOverUsernameThreshold()
-    {
-        $passport = $this->createPassport('wouter');
-        // Simulate requests from different IPs
-        for ($i = 0; $i < 3; ++$i) {
-            $request = $this->createRequest('10.0.0.'.$i);
-            $this->requestStack->push($request);
-            $this->listener->checkPassport($this->createCheckPassportEvent($passport));
-            $this->listener->onFailedLogin($this->createLoginFailedEvent($passport));
-            $this->requestStack->pop();
-        }
-
-        // A new IP should still be blocked because the username limit is reached
-        $request = $this->createRequest('10.0.1.0');
-        $this->requestStack->push($request);
-        $this->expectException(TooManyLoginAttemptsAuthenticationException::class);
-        $this->listener->checkPassport($this->createCheckPassportEvent($passport));
-    }
-
     public function testPreventsLoginWhenOverGlobalThreshold()
     {
         $request = $this->createRequest();

Original file line number	Diff line number	Diff line change
`@@ -76,16 +76,13 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal`
`76`	`76`	`];`
`77`	`77`	`$this->registerRateLimiter($container, $localId = '_login_local_'.$firewallName, $limiterOptions);`
`78`	`78`
`79`		`- $this->registerRateLimiter($container, $usernameId = '_login_username_'.$firewallName, $limiterOptions);`
`80`		`-`
`81`	`79`	`$limiterOptions['limit'] = 5 * $config['max_attempts'];`
`82`	`80`	`$this->registerRateLimiter($container, $globalId = '_login_global_'.$firewallName, $limiterOptions);`
`83`	`81`
`84`	`82`	`$container->register($config['limiter'] = 'security.login_throttling.'.$firewallName.'.limiter', DefaultLoginRateLimiter::class)`
`85`	`83`	`->addArgument(new Reference('limiter.'.$globalId))`
`86`	`84`	`->addArgument(new Reference('limiter.'.$localId))`
`87`	`85`	`->addArgument(new Parameter('container.build_hash'))`
`88`		`- ->addArgument(new Reference('limiter.'.$usernameId))`
`89`	`86`	`;`
`90`	`87`	`}`
`91`	`88`