403s returned if you have multiple users from one office

(Bas van Leeuwen) #1


Related to my previous topic, the log-in rate limit for a single IP is way to low.

We just sent out an announcement email and our entire office was intermittently blocked with a very ugly “You do not have permission to view this file” 403. This includes admins, staff etc.

The default is 6 logins per minute per IP address.

(Jeff Atwood) #4

I think it’s fine to have a discussion about the default perhaps being too low, but bear in mind that changing this default has security and spam implications – it is not a “free” setting.

(Bas van Leeuwen) #5

Fully understand that :slight_smile:

I am just realising the actual problem: the non-descriptive error message.

If it was something like HTTP 403: rate limit reached (max_logins_per_ip), then I’d know where to start debugging.
Now we just had a hunch and changed a random setting somewhere, that seems to have fixed it.

(Jeff Atwood) #6

Hmm not sure what do you think @sam?

(Sam Saffron) #7

Yes I think we can do better with the error here, this has popped up before and we can tell the users what happened and guide them better at how to resolve it.

Too many people from your exact location are attempting to login. Please contact your Discourse Administrators at: bla@mail.com if you need the limit raised. To learn more about this see: <link to meta explaining this thing>

(Bas van Leeuwen) #8

Yes please :slight_smile:

(Stephen) #9

As larger business connections typically have a static IP is there any scope to whitelist IPs, rather than weaken the antispam across the board?

(Bas van Leeuwen) #10

That would indeed work for most.

For us not so much, since we serve many companies with large offices; but we are actually fine now, we have a closed community, so this limit is not really needed for us.