Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3878

Forgot password form IP-based lockout locks everyone from using it

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      The forgot password form controller logs login attempts using request.getLocalAddr() instead of request.getRemoteAddr()

      https://github.com/openmrs/openmrs-core/blob/master/web/src/main/java/org/openmrs/web/controller/ForgotPasswordFormController.java line 80

      Ideally this controller should share the list of locked out IPs with LoginServlet. If a rogue IP address is blocked from one, it should be blocked from the other

        Attachments

          Activity

            People

            Assignee:
            chalakanth Chalakanth Reddy [X] (Inactive)
            Reporter:
            rowanseymour Rowan Seymour [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 hours
                2h
                Remaining:
                Remaining Estimate - 2 hours
                2h
                Logged:
                Time Spent - Not Specified
                Not Specified