Login and Session Security

Last Updated: Jun 8, 2021
documentation for the dotCMS Content Management System

dotCMS provides resistance to brute-force password attacks through the use of an increasing timeout for repeated login failures. In addition, you may increase the dotCMS login security by configuring dotCMS to use SSL, and you can integrate dotCMS with external authentication services to provide additional login features.

Repeated Login Failures

When a user login fails, dotCMS automatically implements a delay before a new login attempt will be allowed. The first time a user fails to log does not cause a delay in login attempts, as it's considered a mistake, not an attack. All unsuccessful login attempts after the first will cause a delay in seconds equal to the (number of unsusscessful attempts-1) squared. For example:

  • 1 failed attempt: Delay = 0 seconds (no delay).
  • 2 failed attempts: Delay = 1 second.
  • 3 failed attempts: Delay = 4 seconds.
  • 4 failed attempts: Delay = 9 seconds.
  • etc.

On this page


We Dig Feedback

Selected excerpt: