improved documentation

metaclass-nl · Feb 8, 2014 · 012c06d · 012c06d
1 parent 22898c2
commit 012c06d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -13,11 +13,12 @@ FEATURES
 
 - Blocks the primary authentication route by both username and client ip address for which authentication failed  too often,
 
-- To hide wheater an account actually exists for a user name, any user name that is tried too often may be blocked, regardless of the existence and 
-status of an account with that username,
+- To hide weather an account actually exists for a username, any username that is tried too often may be blocked, 
+  regardless of the existence and status of an account with that username,
 
 - Makes a logical difference between failed login lockout (done by this bundle) and eventual administrative lockout 
-  (may be done by the UserBundle), so that re-enabling all usernames en masse does not unlock administratively locked users.
+  (may be done by the UserBundle), so that re-enabling all usernames en masse does not unlock administratively locked users
+  (OWASP requirement).
 
 - Automatic release of username on authentication success,
 

diff --git a/Resources/doc/Installation.md b/Resources/doc/Installation.md
@@ -75,12 +75,12 @@ metaclass_authentication_guard:
         name: ""
     tresholds_governor_params:
         counterDurationInSeconds:  300
-        blockUsernamesFor: "10 days" 
+        blockUsernamesFor: "24 minutes"       # actual blocking for up to counterDurationInSeconds shorter!
         limitPerUserName: 3
-        blockIpAddressesFor: "15 minutes"
+        blockIpAddressesFor: "17 minutes"     # actual blocking for up to counterDurationInSeconds shorter!
         limitBasePerIpAddress: 10
         releaseUserOnLoginSuccess: false
-        allowReleasedUserOnAddressFor: "25 minutes" 
+        allowReleasedUserOnAddressFor: "30 days" 
         allowReleasedUserOnAgentFor: "10 days"
         distinctiveAgentMinLength: 30
         
@@ -107,7 +107,8 @@ Configurations
  
 	blockUsernamesFor
 	
-	The duration for which failed logins are countend per username. Values like "3 minutes", "12 hours", "5 years" are allowed.
+	The duration for which failed login counters are summed per username. Values like "3 minutes", "12 hours", "5 years" are allowed.
+	The actual duration of blocking will be up to 'counterDurationInSeconds' shorter.
 	
 	The OWASP Guide: 
 	> If necessary, such as for compliance with a national security standard, a configurable soft lockout of approximately 15-30 minutes should apply, with an error message stating the reason and when the account will become active again.
@@ -133,7 +134,8 @@ Configurations
 
 	blockIpAddressesFor 
 	
-	The duration for which failed logins are countend per ip addess. Values like "3 minutes", "12 hours", "5 years" are allowed.
+	The duration for which failed login counters are summed per ip addess. Values like "3 minutes", "12 hours", "5 years" are allowed.
+	The actual duration of blocking will be up to 'counterDurationInSeconds' shorter.
 	
 	The OWASP Guide suggests a duration of 15 minutes, but also suggests additional measures that are currenly not supported
 	by this Bundle.