1. Third Party Cookies
    1. Overview
    2. Password Reset
    1. System Notifications
    2. Data Manager Notifications
    1. Troubleshooting Load Times
    2. Cache Warming
    1. Updating License Key
    1. Web Accessibility
    1. Menu Tuning
    2. Cache Warming
    1. Password Settings

Users & Groups: User Security

User Throttling

As a security measure, Curator throttles certain activities for a user to mitigate malicious activities. Where possible, this blocks the logged in user. If there is no logged in user, then it blocks the IP address of the user. For instance, logins only allow a limited number of failed attempts within a time period. If that limit is exceeded, the user's IP address is blocked for a period of time to help prevent someone from brute forcing another user's password.

If Curator is behind a load balancer, reverse proxy, or some other network device that makes it look like all users are sharing the same IP address, Curator won't be able to distinguish users by IP address so they'll share the same throttle window when tracking activities that can't be tied to a logged in user. In that case, if there are several different users who all mistype their password within minutes of each other, Curator will block all users from logging in. If this becomes a recurring issue with your Curator site, the potential fixes are:

  • Fix your network device to pass through the IP address of each user instead of proxying them as a single IP address. See: Reverse Proxy
  • Configure Curator's throttle to allow more failed attempts before triggering the throttle or a shorter suspension time after a throttle is triggered.

Configuring Throttle

By default, Curator only allows 5 attempts within a 15 minute period and, if the throttle is triggered, there is a 15 minute waiting period before the user is unblocked.

To customize these settings, navigate to Backend > Settings > Security > Authentication Settings > Customization section.

The activity throttle limit determines how many attempts are allowed for throttle activities (failed logins, password resets, etc.).

The activity throttle reset period determines how long the window is before the throttle count resets. In other words, if the throttle limit is set to 5 and this setting is 15, then the user can only mistype their password 5 times in a 15 minute window. If they exceed that, then their account/IP address will be blocked.

The activity suspension time determines how long a user/IP address is blocked after the throttle is triggered. In other words, if the user is blocked due to failed login attempts and this setting is 30, the user will need to wait 30 minutes before they are allowed to try logging in again.