9

I have implemented the brand new Symfony authentication system : https://symfony.com/doc/current/security/experimental_authenticators.html

And I added the new Login Throttling : https://symfony.com/blog/new-in-symfony-5-2-login-throttling

Everything is correctly configured.

I also installed the RateLimiter component, which created an environment variable:

LOCK_DSN=semaphore

But I have a problem. First, the Login Throttling seems to be half ignored. I have no error message once the limit is exceeded. On the other hand, if I try to connect with good credentials, I have the following error which appears :

Semaphore extension (sysvsem) is required.

I tried to install the Semaphore component ( https://symfony.com/doc/current/components/semaphore.html )

But same problem.

This is my security.yaml

security:
  enable_authenticator_manager: true

  encoders:
    App\Application\Entity\User:
      algorithm: auto

  # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
  providers:
    in_memory: { memory: ~ }
    # used to reload user from session & other features (e.g. switch_user)
    in_database:
      entity:
        class: App\Application\Entity\User
        property: email
  firewalls:
    dev:
      pattern: ^/(_(profiler|wdt)|css|images|js)/
      security: false

    main:
      user_checker: App\Application\Security\UserChecker
      provider: in_database
      lazy: true

      remember_me:
        secret: '%kernel.secret%'

      form_login:
        login_path: app_login
        check_path: app_login
        default_target_path: home

      logout:
        path: app_logout
        target: app_login

      custom_authenticators:
        - App\Application\Security\AppCustomAuthenticator

      entry_point: App\Application\Security\AppCustomAuthenticator

      # configuring the maximum login attempts (per minute)
      login_throttling:
        max_attempts: 2

I searched if there was an extension to add to PHP but couldn't find anything. So I don't know what to do. I'm on Windows 10

Stephan Vierkant
  • 9,674
  • 8
  • 61
  • 97
eronn
  • 1,690
  • 3
  • 21
  • 53
  • there exists an extension by that name for linux: https://pkgs.org/download/php-sysvsem however, it doesn't exist for windows (source: https://wiki.php.net/internals/windows/libs - search for sysvsem) – Jakumi Mar 14 '21 at 12:47
  • I just realized it, indeed, it is very problematic ... Thank you for the info – eronn Mar 14 '21 at 12:50
  • Off-topic but it seems a bit unusual to have both a form_login as well as a custom authenticator in the same firewall. I guess it works. – Cerad Mar 14 '21 at 13:00
  • Ah yes, little oversight on my part when I configured my new authentication system! So I should remove the form_login? And yes it works – eronn Mar 14 '21 at 13:03
  • And for the Login Throttling, I updated my env var to `LOCK_DSN=flock`. No error, but no limitation, and I can still authenticate even after the limit – eronn Mar 14 '21 at 13:06
  • 2
    Yes I would suggest removing form_login just to prevent downstream confusion. The authentication system is already confusing enough. Never tried the login throttling functionality myself so cant help there. – Cerad Mar 14 '21 at 13:08

1 Answers1

15

i also had this problem, you can change the store for locking: https://symfony.com/doc/current/components/lock.html#available-stores

my solution was to change in .env.local

###> symfony/lock ###
# Choose one of the stores below
# postgresql+advisory://db_user:db_password@localhost/db_name
LOCK_DSN=semaphore
###< symfony/lock ###

to :

###> symfony/lock ###
# Choose one of the stores below
# postgresql+advisory://db_user:db_password@localhost/db_name
LOCK_DSN=flock
###< symfony/lock ###
Nodoka Murmevent
  • 166
  • 1
  • 5