[JDEV] Account lockout
Peter Saint-Andre
stpeter at jabber.org
Wed Apr 30 22:30:28 CDT 2003
On Wed, Apr 30, 2003 at 05:38:45PM -0700, Ragavan S wrote:
> If an account has been disabled temporarily or locked out (due to repeated
> login failures, say), what would be the correct error class to expect from
> a Jabber server? This would be different from an account that does not
> exist (for which the not-authorized error class seems a good fit).
I would say "not-allowed" as per XMPP-IM:
<iq type='error' id='sess_1'>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
<error class='access'>
<condition xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>
<not-allowed/>
</condition>
</error>
</iq>
However, no servers currently implement this, either in XMPP-style
errors or old-style errors.
> Also, are there any auth modules that have some sort of account lockout
> logic built into them? Say, based on repeated login failure attempts or
> unsuccessful attempts to login to the same account from different IP
> addresses, etc?
Not yet as far as I know, but it's a good idea.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php
More information about the JDev
mailing list