Forum Discussion
AltostratusASM Brute Force login mitigation with Captcha
I have a question regarding the ASM brute force login mitigation feature using captchas. Based on the failed logins setting the user gets challenged with a captcha. After solving the capture succesfully the user gets redirected back to the login page. Entering the correct credentials this time forces another captcha challenge! If this is solved successfully the user is allowed to enter the website.
I can´t understand this last captcha challenge because the user has entered the correct credentials before. He shouldn´t be challenged again at this point.
The sequence when using captchas is not documented in that very detail, so could it be that the last captcha is one too much? Has anyone made a similar experience or does anyone know how ASM should work at this stage?
Tested with versions 13.1.1.2 and 14.1.
Rgds, Peter
samstepCirrocumulus
I have never seen this on v12.1.x branch, so difficult to comment for v13/14, this potentially might be related to your application specifics or configuration details. Also the problem might be in 'Re-enable login after' settings - do you have it configured?
leonline_225556You shouldn't get the 2nd CAPTCHA. Although I have seen some difference in behavior when hitting enter after solving the CAPTCHA vs actual clicking on the button. Do you have 2 illegal request log entries when you have this issue?
- Findus
Just to let you know - the above described login sequence with captcha challenges works as designed. I clarified this via a support ticket.
Final answer from support:
"The Engineering Services team confirmed this is the expected behaviour. Only when the customer key in the correct captcha response when login was successful (meaning the right set of credentials before the challenge) would he not be challenged again in subsequent login requests."