PHPackages                             neamil/protect\_fe\_login - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. neamil/protect\_fe\_login

ActiveTypo3-cms-extension[Security](/categories/security)

neamil/protect\_fe\_login
=========================

this typo3 extension provides brute force protection for frontend login with device cookies as described in OWASP https://owasp.org/www-community/Slow\_Down\_Online\_Guessing\_Attacks\_with\_Device\_Cookies

1.0.2(4y ago)0147[2 issues](https://github.com/n3amil/protect_fe_login/issues)MITPHPPHP ^7.2

Since Jul 18Pushed 4y agoCompare

[ Source](https://github.com/n3amil/protect_fe_login)[ Packagist](https://packagist.org/packages/neamil/protect_fe_login)[ RSS](/packages/neamil-protect-fe-login/feed)WikiDiscussions master Synced 3w ago

READMEChangelog (5)Dependencies (6)Versions (7)Used By (0)

Protect FE Logins
=================

[](#protect-fe-logins)

this typo3 extension protects fe\_login against brute force attacks as described in OWASP [https://owasp.org/www-community/Slow\_Down\_Online\_Guessing\_Attacks\_with\_Device\_Cookies](https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies)

Current State - Beta! dont use in production yet.

Installation
------------

[](#installation)

This TYPO3 extension is available via packagist:

`composer require n3amil/protect_fe_login`

Alternatively, you can install the extension from TER:

[TER: protect\_fe\_login](https://typo3.org/extensions/repository/view/protect_fe_login)

After that, proceed with [Getting Started](#getting-started)

Getting Started
---------------

[](#getting-started)

- install via TER or composer
- configure needed extension settings

    - Timeout = time in seconds how long the lock-out for untrusted users / device cookies
    - MaxAttempts = how many attempts for untrusted user or attempts with a single device cookie can be made until the untrusted users for the username, or the device cookie gets locked out
    - DeviceCookieName = the name of the device cookie which is set for the client, choose something unique e.g containing the website name
    - DeviceCookieExpireInDays = count of days until the device cookie expires
    - Secret = secret cryptographic key used for hash\_hmac. Use a key with at least 512 bit entropy, generate it with the key/password generator of your choice. Dont use it anywhere else and keep it safe!

FAQ
===

[](#faq)

don't we already have extensions which protect from brute force attacks?
------------------------------------------------------------------------

[](#dont-we-already-have-extensions-which-protect-from-brute-force-attacks)

there are several extensions e.g. login\_limit, secure\_login or felogin\_bruteforce\_protection. Those provide a simple time/ip ban for login attempts, with downsides for a lot of use cases:

### simple time lockout after n attempts

[](#simple-time-lockout-after-n-attempts)

- DoS for user account

### time logout for ip after n attempts (that's what most of the named extensions do)

[](#time-logout-for-ip-after-n-attempts-thats-what-most-of-the-named-extensions-do)

- not suitable versus large distribution attacks (bot networks etc.)
- not friendly for users behind NAT
- DoS still possible in many cases

inspiration and notes taken from this german talk MRMCD2019

###  Health Score

26

—

LowBetter than 41% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity10

Limited adoption so far

Community8

Small or concentrated contributor base

Maturity55

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 50% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~146 days

Total

4

Last Release

1736d ago

Major Versions

0.0.3 → 1.0.02021-06-09

### Community

Maintainers

![](https://www.gravatar.com/avatar/86b714387c83b4e3d1854d5b1ec03919cd5c938a36a1f0f0d695eb73373b61ae?d=identicon)[n3amil](/maintainers/n3amil)

---

Top Contributors

[![3m5-seipelt](https://avatars.githubusercontent.com/u/109289894?v=4)](https://github.com/3m5-seipelt "3m5-seipelt (8 commits)")[![n3amil](https://avatars.githubusercontent.com/u/38440086?v=4)](https://github.com/n3amil "n3amil (8 commits)")

---

Tags

extensiontypo3protectionbruteforcefeloginfe\_logindevice cookies

### Embed Badge

![Health badge](/badges/neamil-protect-fe-login/health.svg)

```
[![Health](https://phpackages.com/badges/neamil-protect-fe-login/health.svg)](https://phpackages.com/packages/neamil-protect-fe-login)
```

###  Alternatives

[spooner-web/be_secure_pw

You can set password conventions to force secure passwords for BE users.

10466.0k](/packages/spooner-web-be-secure-pw)[causal/fal-protect

Protect everything within /fileadmin/ based on associated folder and file restrictions (visibility, user groups and dates of publication).

1277.1k](/packages/causal-fal-protect)[georgringer/noopener

Add rel="noopener noreferrer" to all external links

1535.1k](/packages/georgringer-noopener)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
