-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make failed logins less brutal to improve UX #762
Comments
Open
It may be worth also exploring (maybe behind an option if it feels icky) if a given email address is trying to log into the same I am able to sponsor this work if necessary. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On a failed login, the Portier broker deletes the session preventing further attempts to log in with that session. It would be helpful to be able to configure the broker to instead only delete the session on a successful login; as well as the after a deadline has expired as it already does.
From our experience, the current behaviour hurts the UX as we see regularly people failing to log in for legitimate and expected reasons but (we assume) very few attempts to brute for the code; which for most is moot and prevented by any CSRF protection (ie. a cookie) in the resource provider.
This is described in #670 (comment) and followed up by #670 (comment)
Common reasons for a failed login:
This problem is potentially exasperated by the rate limiter as our users get at least confused and then re-attempt fresh logins which also fail as they are still incorrectly doing something or other.
The text was updated successfully, but these errors were encountered: