Account Locking After Max Login Attempts Not Working As Expected

I have a requirement to configure max login attempts at server level for all the applications users. The Users module has Site Properties with default settings and for first Username lock the default value is 3 attempts. I tried to test these default settings as below.

Attempt-1. Entered incorrect credentials.

Attempt-2. Entered correct credentials, and user login was successful.

Attempt-3. Entered incorrect credentials again and realized that the account is locked.

I was hoping that Attempt 3 would not lock the user account because Attempt 2 was successful login which should have reset the failed attempts count. However, the above steps indicate that OutSystems counted the successful attempt also as unsuccessful.

Please share your valuable inputs on this.



Hi Junaid, let me know if you already saw this document Protection against Brute Force Attacks?

Nuno Miguel Verdasca wrote:

Hi Junaid, let me know if you already saw this document Protection against Brute Force Attacks?

Yes, that is where I saw what properties to change. Would you mind verifying my steps on some server you have access to?


Of course I wouldn't mind, I can try it, but it is possible that I will only be able to give you feedback later in the day, if there is no problem for you.

Nuno Miguel Verdasca wrote:

Of course I wouldn't mind, I can try it, but it is possible that I will only be able to give you feedback later in the day, if there is no problem for you.


Thanks, works for me.