Forum Discussion
Hi guys, I'm facing the same issue as you do. Did you get any response from support? This is really unexpected behaviour, when the whole policy is case insensitive.
Thanks.
Hi Colin, thank you for some ideas how you handled the situation. Problem with your second approach is, that even if the whole security policy is case insensitive, that parameters configured on JSON/AJAX login page are handled as case sensitive. This inconsistency drives me crazy, as there isn't any reasonable solution for this. I am thinking about contacting support to ask them if this is a bug or a feature :) Our application accepts any case for parameter names (eg. pArAmEtEr), but Login page in case insensitive policy expects exact single case format (parameter, or Parameter, whatever I configure there). Thus it is pretty straightforward how to bypass whole bruteforce protection, just by changing the case of parameter name.