Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Add per-username login rate-limit to prevent brute-force attacks#64104

Merged
nicolas-grekas merged 1 commit into
symfony:8.1from
ayyoub-afwallah:feature/add-username-login-rate-limiter
May 4, 2026
Merged

[Security] Add per-username login rate-limit to prevent brute-force attacks#64104
nicolas-grekas merged 1 commit into
symfony:8.1from
ayyoub-afwallah:feature/add-username-login-rate-limiter

Conversation

@ayyoub-afwallah
Copy link
Copy Markdown
Contributor

@ayyoub-afwallah ayyoub-afwallah commented May 2, 2026

Q A
Branch? 8.1
Bug fix? no
New feature? yes
Deprecations? no
Issues Fix #61932
License MIT

Adds a third rate-limiter to DefaultLoginRateLimiter as suggested in #63997 (comment)

@ayyoub-afwallah ayyoub-afwallah requested a review from chalasr as a code owner May 2, 2026 10:28
@carsonbot carsonbot added this to the 8.1 milestone May 2, 2026
@ayyoub-afwallah
Copy link
Copy Markdown
Contributor Author

ayyoub-afwallah commented May 2, 2026

Test failures seem unrelated to this pr

nicolas-grekas
nicolas-grekas reviewed May 4, 2026
View reviewed changes
Comment thread src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php Outdated
@nicolas-grekas nicolas-grekas force-pushed the feature/add-username-login-rate-limiter branch from b4a3196 to a84ec30 Compare May 4, 2026 15:40
@nicolas-grekas
Copy link
Copy Markdown
Member

nicolas-grekas commented May 4, 2026

Thank you @ayyoub-afwallah.

@nicolas-grekas nicolas-grekas merged commit 692ecef into symfony:8.1 May 4, 2026
5 of 12 checks passed
@nicolas-grekas nicolas-grekas mentioned this pull request May 4, 2026
Closed
@wouterj wouterj mentioned this pull request May 4, 2026
Merged
nicolas-grekas pushed a commit that referenced this pull request May 4, 2026
@wouterj
Revert "feature #64104 [Security] Add per-username login rate-limit t…
ef7291c 
…o prevent brute-force attacks (ayyoub-afwallah)"

This reverts commit 692ecef, reversing
changes made to 965b0fc.
nicolas-grekas added a commit that referenced this pull request May 4, 2026
@nicolas-grekas
feature #64118 [Security] Revert "Add per-username login rate-limit t…
8e8f87c 
…o prevent brute-force attacks" (wouterj)

This PR was merged into the 8.1 branch.

Discussion
----------

[Security] Revert "Add per-username login rate-limit to prevent brute-force attacks"

| Q             | A
| ------------- | ---
| Branch?       | 8.1
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Issues        | Reverts #64104
| License       | MIT

Read #61932 (comment) for the reasoning.

Commits
-------

ef7291c Revert "feature #64104 [Security] Add per-username login rate-limit to prevent brute-force attacks (ayyoub-afwallah)"
@wouterj
Copy link
Copy Markdown
Member

wouterj commented May 4, 2026

Hi! Unfortunately, we've discovered that implementing this feature can result in denial of service. A botnet can keep trying a specific username with different IPs, resulting in a user not being able to log in anymore. As a result, we have to revert this feature from the upcoming 8.1 release (ref #64118).

I hope this won't discourage you from coming back with more contributions in the future. The contribution itself went very smooth 🚀

@fabpot fabpot mentioned this pull request May 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Feature Security Status: Needs Review

Projects

None yet

Milestone

8.1

Development

Successfully merging this pull request may close these issues.

[RateLimiter] The local DefaultLoginRateLimiter should probably limit only by username

4 participants

@ayyoub-afwallah @nicolas-grekas @wouterj @carsonbot