Fossil

Check-in [39d7eb0e]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Failed login attempts via /login now return HTTP status code 401 (Unauthorized), not 200. This has no user-visible effect in the returned page, but it allows fail2ban style log scanning.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 39d7eb0e226565e31ea812d2704e114a96a30245ff8b2e343a8df82b78cf2894
User & Date: wyoung 2020-11-16 00:41:16
Context
2020-11-16
02:05
Moved the www/tls-nginx.md doc contents into its companion doc www/server/debian/nginx.md and updated it for Ubuntu 20.04 LTS and Snap-based Certbot. ... (check-in: 0e63df14 user: wyoung tags: trunk)
00:41
Failed login attempts via /login now return HTTP status code 401 (Unauthorized), not 200. This has no user-visible effect in the returned page, but it allows fail2ban style log scanning. ... (check-in: 39d7eb0e user: wyoung tags: trunk)
2020-11-14
06:52
Add extra check in git_fast_import() so that 'import --git --incremental' queries the new 'fx_git' table if it exists in the repository database to attribute check-ins. ... (check-in: 8eeba7a8 user: jamsek tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/login.c.

641
642
643
644
645
646
647

648
649
650
651
652
653
654
      sleep(1);
      zErrMsg =
         @ <p><span class="loginError">
         @ You entered an unknown user or an incorrect password.
         @ </span></p>
      ;
      record_login_attempt(zUsername, zIpAddr, 0);

    }else{
      /* Non-anonymous login is successful.  Set a cookie of the form:
      **
      **    HASH/PROJECT/LOGIN
      **
      ** where HASH is a random hex number, PROJECT is either project
      ** code prefix, and LOGIN is the user name.







>







641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
      sleep(1);
      zErrMsg =
         @ <p><span class="loginError">
         @ You entered an unknown user or an incorrect password.
         @ </span></p>
      ;
      record_login_attempt(zUsername, zIpAddr, 0);
      cgi_set_status(401, "Unauthorized");
    }else{
      /* Non-anonymous login is successful.  Set a cookie of the form:
      **
      **    HASH/PROJECT/LOGIN
      **
      ** where HASH is a random hex number, PROJECT is either project
      ** code prefix, and LOGIN is the user name.