Community
Showing results for 
Search instead for 
Do you mean 
Reply

Failed login locks all databases on website

New Member
Posts: 12
Country: USA

Failed login locks all databases on website

I have an ACT Premium 2011 site that has multiple databases under a single website.  If a user types their password wrong 4-5 times, a message saying "Unable to authenticate user. Log on will be disabled for the next five minutes for security purposes. Please try again later."  This doesn't just lock out that user, it locks ALL users out of not only that database, but ALL databases under that site aren't accessible by anyone until that five minutes is up.  Also, if someone presses F5 to refresh, it resends the username and password which resets the 5 minutes if it hasn't elapsed.

 

Is this by design that it locks the entire site because a single person doesn't know their password?  Is there a way to "unlock" the database and/or site before those five minutes are up so that all users aren't locked out for 5 straight minutes?  

New Member
Posts: 36
Country: USA

Re: Failed login locks all databases on website

3 years later... same thing. I hadn't seen this before so it kinda blew my mind. I'm using ACT Premium for Web 2013
New Member
Posts: 12
Country: USA

Re: Failed login locks all databases on website

We haven't tested this on ACT v16 yet, but hopefully Swiftpage made a few code changes to stop this from happening.  We have a few databases that have 20-30 users in them regularly and this is not a fun topic to try and explain to the client why everyone can't work for 5 minutes because of a design flaw in the software.

New Member
Posts: 36
Country: USA

Re: Failed login locks all databases on website

Some of the bizarre bugs in ACT that go unfixed in new version after new version are just mind-boggling.

Platinum Elite Contributor
Posts: 6,668
Country: USA

Re: Failed login locks all databases on website

Because all the databases are attached and under the control of the SQL server, I suspect that the lockout is under the control of the SQL server and that's why it locks all the databases. I would assume that the initial lock is initialed from the ACT! program but that ACT! doesn't have control of how the lock is performed by the SQL server.

Roy Laudenslager
ACT! Certified Consultant
ACT! Report Expert
Durkin Impact Report Designer
www.techbenders.com
royel@techbenders.com
541-343-8129
New Member
Posts: 36
Country: USA

Re: Failed login locks all databases on website

Sorry, but that doesn't cut it.  If ACT can't figure out how to lock the USER account instead of the database, then it shouldn't do lockouts at all, or should give us a way to disable this behavior.

New Member
Posts: 12
Country: USA

Re: Failed login locks all databases on website

Agreed.  Because user access is controlled within ACT and not by individual SQL users, SQL server doesn't care what's going on behind the scenes.  It just does was its told by the impersonator account.  A simple "ISLOCKED" field in the TBL_USERS table would make for a very easy solution to this with a 5-minute unlock trigger for individual users.

Platinum Elite Contributor
Posts: 6,668
Country: USA

Re: Failed login locks all databases on website

Now you get into the issue of overall security. If someone is trying to hack the database you would want to lock the entire database to impede them.

Roy Laudenslager
ACT! Certified Consultant
ACT! Report Expert
Durkin Impact Report Designer
www.techbenders.com
royel@techbenders.com
541-343-8129
New Member
Posts: 12
Country: USA

Re: Failed login locks all databases on website

I would hope that the built in security model is set so that it locks the user that it's trying to login as.  That is a HORRIBLE security model to straight up lock all access to the database.  That's like saying that (on a much larger scale) that because I lock my Yahoo account, that all of Yahoo locks until that timer is up.  I have upwards of 20-30 users simaltaneously in some databases.  They shouldn't have to be completely disrupted because I locked my account, and on top of that, there's no way as a system adminstrator to unlock it early so that they can get back to using the database.  

 

I realize I am up on a soap box right now and you aren't one of the developers of the product so none of this is pointed directly at you.  It's just a pain in the butt when I get occasionally flooded with emails from a client because they can't work because of one user who fat-fingers their password one too many times.  It's also frustrating that three versions later (2011 to v16) there at least isn't some sort of unlock function built in so when a user does lock their account I can quickly unlock it and everyone can go about their business.

New Member
Posts: 36
Country: USA

Re: Failed login locks all databases on website

"Now you get into the issue of overall security. If someone is trying to hack the database you would want to lock the entire database to impede them."

 

I deal with lots of different software packages, plus manage several webservers  I have NEVER seen software that locked everything up because one user account mistyped some passwords.  Lock the one user account?  Fine.  Lock everything?  Not so fine.

 

Regardless, if that's the way ACT wants to work it, whatever...  But let me disable this behavior and take the risk upon myself.  Holding all of my users hostage for 5 minutes is a bad way to handle this.