Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3878

Forgot password form IP-based lockout locks everyone from using it

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      The forgot password form controller logs login attempts using request.getLocalAddr() instead of request.getRemoteAddr()

      https://github.com/openmrs/openmrs-core/blob/master/web/src/main/java/org/openmrs/web/controller/ForgotPasswordFormController.java line 80

      Ideally this controller should share the list of locked out IPs with LoginServlet. If a rogue IP address is blocked from one, it should be blocked from the other

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              chalakanth Chalakanth Reddy
              Reporter:
              rowanseymour Rowan Seymour
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2 hours
                  2h
                  Remaining:
                  Remaining Estimate - 2 hours
                  2h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified