chameleon-system-private/login-security-bundle
There is no license information available for the latest version (8.47.1) of this package.
Provides login security features (e.g. blocking of IPs) for chameleon
8.47.1
2025-12-15 13:40 UTC
Requires
- symfony/lock: ^6.4
- psr/cache: ^3.0
- symfony/options-resolver: ^6.4
- chameleon-system/chameleon-base: ~8.0.0
- 8.47.1
- 8.47.0
- 8.0.x-dev
- 8.0.49
- 8.0.48
- 8.0.46
- 8.0.45
- 8.0.44
- 8.0.43
- 8.0.42
- 8.0.41
- 8.0.40
- 8.0.39
- 8.0.38
- 8.0.37
- 8.0.36
- 8.0.35
- 8.0.34
- 8.0.33
- 8.0.32
- 8.0.31
- 8.0.30
- 8.0.29
- 8.0.28
- 8.0.27
- 8.0.26
- 8.0.25
- 8.0.24
- 8.0.23
- 8.0.22
- 8.0.21
- 8.0.20
- 8.0.19
- 8.0.18
- 8.0.17
- 8.0.16
- 8.0.15
- 8.0.14
- 8.0.13
- 8.0.12
- 8.0.11
- 8.0.10
- 8.0.9
- 8.0.8
- 8.0.7
- 8.0.6
- 8.0.5
- 8.0.4
- 8.0.3
- 8.0.2
- 8.0.1
- 7.1.x-dev
- 7.1.140
- 7.1.139
- 7.1.138
- 7.1.137
- 7.1.136
- 7.1.135
- 7.1.134
- 7.1.133
- 7.1.132
- 7.1.131
- 7.1.130
- 7.1.129
- 7.1.128
- 7.1.127
- 7.1.126
- 7.1.125
- 7.1.124
- 7.1.123
- 7.1.122
- 7.1.121
- 7.1.120
- 7.1.119
- 7.1.118
- 7.1.117
- 7.1.116
- 7.1.115
- 7.1.114
- 7.1.113
- 7.1.112
- 7.1.111
- 7.1.110
- 7.1.109
- 7.1.108
- 7.1.107
- 7.1.106
- 7.1.105
- 7.1.104
- 7.1.103
- 7.1.102
- 7.1.101
- 7.1.100
- 7.1.99
- 7.1.98
- 7.1.97
- 7.1.96
- 7.1.95
- 7.1.94
- 7.1.93
- 7.1.92
- 7.1.91
- 7.1.90
- 7.1.89
- 7.1.88
- 7.1.87
- 7.1.86
- 7.1.85
- 7.1.84
- 7.1.83
- 7.1.82
- 7.1.81
- 7.1.80
- 7.1.79
- 7.1.78
- 7.1.77
- 7.1.76
- 7.1.75
- 7.1.74
- 7.1.73
- 7.1.72
- 7.1.71
- 7.1.70
- 7.1.69
- 7.1.68
- 7.1.67
- 7.1.66
- 7.1.65
- 7.1.64
- 7.1.63
- 7.1.62
- 7.1.61
- 7.1.60
- 7.1.59
- 7.1.58
- 7.1.57
- 7.1.56
- 7.1.55
- 7.1.54
- 7.1.53
- 7.1.52
- 7.1.51
- 7.1.50
- 7.1.49
- 7.1.48
- 7.1.47
- 7.1.46
- 7.1.45
- 7.1.44
- 7.1.43
- 7.1.42
- 7.1.41
- 7.1.40
- 7.1.39
- 7.1.38
- 7.1.37
- 7.1.36
- 7.1.35
- 7.1.34
- 7.1.33
- 7.1.32
- 7.1.31
- 7.1.30
- 7.1.29
- 7.1.28
- 7.1.27
- 7.1.26
- 7.1.25
- 7.1.24
- 7.1.23
- 7.1.22
- 7.1.21
- 7.1.20
- 7.1.19
- 7.0.23
- 7.0.22
- 7.0.21
- dev-main
- dev-65797-paypal-checkout-7.1.x
- dev-65797-paypal-button-integration
- dev-66480-paypal-button-integration-wip
- dev-64992-campaign-tracking-bundle
- dev-64817-update-tag-manager-bundle
README
Overview
This bundle enhances the login security of your Chameleon application by implementing rate limiting for failed authentication attempts. It helps protect against brute-force attacks by temporarily blocking login attempts for a user or from an IP address after a certain number of failures within a defined period.
Installation
composer require chameleon-system-private/login-security-bundle- Register the bundle in
AppKernel::registerBundles():
// in AppKernel::registerBundles() or bundles.php
new ChameleonSystem\LoginSecurityBundle\ChameleonSystemLoginSecurityBundle(),
- Run the Chameleon updates.
Configuration
The login security features are configured under the chameleon_system_login_security key in your application's configuration (e.g., config.yml).
Rate Limiting Authentication Failures
To enable rate limiting for authentication failures, add the following configuration:
chameleon_system_login_security:
rate_limiting:
log_only: false # If true, rate limiting is only logged, not enforced. Defaults to false.
user:
policy: sliding_window # The rate limiting policy to use.
limit: 10 # Number of requests allowed within the interval.
interval: '10 minutes' # Time frame for the rate limit.
ip:
policy: fixed_window # The rate limiting policy to use.
limit: 60 # Number of requests allowed within the interval.
interval: '10 minutes' # Time frame for the rate limit.
Configuration Parameters:
log_only:- Type:
boolean - Default:
false - If set to
true, rate limiting will only be logged, but no enforcement (blocking) will occur. This is useful for testing and monitoring.
- Type:
user: Rate limiting policy applied per user.policy:- Type:
string - Default:
no_limit - The rate limiting policy to use.
- Possible values:
sliding_window,fixed_window,no_limit. - Refer to Symfony documentation for a detailed explanation of policies: https://symfony.com/doc/current/rate_limiter.html
- Type:
limit:- Type:
integer - Default:
10 - The maximum number of failed authentication attempts allowed for a single user within the specified
interval.
- Type:
interval:- Type:
string - Default:
'10 minutes' - The time frame during which the
limitapplies. Must be a valid relative date string (e.g., "10 minutes", "1 day", "2 hours"). See https://www.php.net/datetime.formats.relative for valid formats.
- Type:
ip: Rate limiting policy applied per IP address.policy:- Type:
string - Default:
no_limit - Same as
user.policy.
- Type:
limit:- Type:
integer - Default:
60 - The maximum number of failed authentication attempts allowed from a single IP address within the specified
interval.
- Type:
interval:- Type:
string - Default:
'10 minutes' - Same as
user.interval.
- Type:
How Rate Limiting Works:
- Per User: If too many failed login attempts occur for a specific username, that user will be temporarily blocked from logging in. The user attempting to log in will receive a message indicating this.
- Per IP: If too many failed login attempts originate from a single IP address, further login attempts from that IP will be blocked for a certain period. Users attempting to log in from a blocked IP will not be informed of the IP-based block directly.
Important Considerations for IP-based Rate Limiting: Some ISPs use shared IP addresses (e.g., NAT) for multiple clients. This means a single IP address might be used by many users. Adjust your IP-based rate-limiting policy (limit and interval) carefully to avoid unintentionally blocking legitimate users.