Symfony News: New in Symfony 5.2: Login Throttling

New in Symfony 5.2: Login Throttling

Contributed by
Wouter De Jong
in #38204.

A common brute-force attack against web applications consists of an attacker submitting a login form many times with the hope of eventually guessing the password of some user account.

One of the best countermeasures to these attacks is called “login throttling”, which denies a user from attempting logins after a certain number of failed attempts. Thanks to the recently added RateLimiter component, Symfony 5.2 will provide login throttling out of the box.

First, make sure that you are using the new Authenticator-based Security. Then, add the following configuration to your firewall:

# config/packages/security.yaml
security:
    firewalls:
        default:
            # by default, the feature allows 5 login attempts per minute
            login_throttling: ~

            # configuring the maximum login attempts (per minute)
            login_throttling:
                max_attempts: 1

            # you can even use a custom rate limiter via its service ID
            login_throttling:
                limiter: app.my_login_rate_limiter

That’s all. Next time an attacker tries to make too many login attempts, your Symfony application will start blocking them.

Sponsor the Symfony project.

Source: https://symfony.com/blog

About us

What a Symfony developer should know about the framework: News, Jobs, Tweets, Events, Videos,...

Welcome to Symfony News !
More About us
Contact us on contact[at]symfony-news.com

Resources

Symfony Blog

Find us on Twitter

Tweets by @symfony_news

Symfony News

New in Symfony 5.2: Login Throttling

About us

Resources

Find us on Twitter

Find us on Facebook