PHPackages neamil/protect\_fe\_login - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. neamil/protect\_fe\_login ActiveTypo3-cms-extension[Security](/categories/security) neamil/protect\_fe\_login ========================= this typo3 extension provides brute force protection for frontend login with device cookies as described in OWASP https://owasp.org/www-community/Slow\_Down\_Online\_Guessing\_Attacks\_with\_Device\_Cookies 1.0.2(4y ago)0147[2 issues](https://github.com/n3amil/protect_fe_login/issues)MITPHPPHP ^7.2 Since Jul 18Pushed 4y agoCompare [ Source](https://github.com/n3amil/protect_fe_login)[ Packagist](https://packagist.org/packages/neamil/protect_fe_login)[ RSS](/packages/neamil-protect-fe-login/feed)WikiDiscussions master Synced today READMEChangelog (5)Dependencies (6)Versions (7)Used By (0) Protect FE Logins ================= [](#protect-fe-logins) this typo3 extension protects fe\_login against brute force attacks as described in OWASP [https://owasp.org/www-community/Slow\_Down\_Online\_Guessing\_Attacks\_with\_Device\_Cookies](https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies) Current State - Beta! dont use in production yet. Installation ------------ [](#installation) This TYPO3 extension is available via packagist: `composer require n3amil/protect_fe_login` Alternatively, you can install the extension from TER: [TER: protect\_fe\_login](https://typo3.org/extensions/repository/view/protect_fe_login) After that, proceed with [Getting Started](#getting-started) Getting Started --------------- [](#getting-started) - install via TER or composer - configure needed extension settings - Timeout = time in seconds how long the lock-out for untrusted users / device cookies - MaxAttempts = how many attempts for untrusted user or attempts with a single device cookie can be made until the untrusted users for the username, or the device cookie gets locked out - DeviceCookieName = the name of the device cookie which is set for the client, choose something unique e.g containing the website name - DeviceCookieExpireInDays = count of days until the device cookie expires - Secret = secret cryptographic key used for hash\_hmac. Use a key with at least 512 bit entropy, generate it with the key/password generator of your choice. Dont use it anywhere else and keep it safe! FAQ === [](#faq) don't we already have extensions which protect from brute force attacks? ------------------------------------------------------------------------ [](#dont-we-already-have-extensions-which-protect-from-brute-force-attacks) there are several extensions e.g. login\_limit, secure\_login or felogin\_bruteforce\_protection. Those provide a simple time/ip ban for login attempts, with downsides for a lot of use cases: ### simple time lockout after n attempts [](#simple-time-lockout-after-n-attempts) - DoS for user account ### time logout for ip after n attempts (that's what most of the named extensions do) [](#time-logout-for-ip-after-n-attempts-thats-what-most-of-the-named-extensions-do) - not suitable versus large distribution attacks (bot networks etc.) - not friendly for users behind NAT - DoS still possible in many cases inspiration and notes taken from this german talk MRMCD2019 ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity10 Limited adoption so far Community8 Small or concentrated contributor base Maturity54 Maturing project, gaining track record Bus Factor1 Top contributor holds 50% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~146 days Total 4 Last Release 1683d ago Major Versions 0.0.3 → 1.0.02021-06-09 ### Community Maintainers ![](https://www.gravatar.com/avatar/86b714387c83b4e3d1854d5b1ec03919cd5c938a36a1f0f0d695eb73373b61ae?d=identicon)[n3amil](/maintainers/n3amil) --- Top Contributors [![3m5-seipelt](https://avatars.githubusercontent.com/u/109289894?v=4)](https://github.com/3m5-seipelt "3m5-seipelt (8 commits)")[![n3amil](https://avatars.githubusercontent.com/u/38440086?v=4)](https://github.com/n3amil "n3amil (8 commits)") --- Tags extensiontypo3protectionbruteforcefeloginfe\_logindevice cookies ### Embed Badge ![Health badge](/badges/neamil-protect-fe-login/health.svg) ``` [![Health](https://phpackages.com/badges/neamil-protect-fe-login/health.svg)](https://phpackages.com/packages/neamil-protect-fe-login) ``` ### Alternatives [spooner-web/be_secure_pw You can set password conventions to force secure passwords for BE users. 10461.3k](/packages/spooner-web-be-secure-pw)[leuchtfeuer/secure-downloads "Secure Download": Apply TYPO3 access rights to ALL file assets (PDFs, TGZs or JPGs etc. - configurable) - protect them from direct access. 22234.7k1](/packages/leuchtfeuer-secure-downloads)[georgringer/noopener Add rel="noopener noreferrer" to all external links 1535.1k](/packages/georgringer-noopener)[causal/fal-protect Protect everything within /fileadmin/ based on associated folder and file restrictions (visibility, user groups and dates of publication). 1269.5k](/packages/causal-fal-protect)[leuchtfeuer/locate Locate - The users country, preferred language and other facts will be detected. Depending on configurable rules the user can be redirected to other languages or pages. Locate also provides geo blocking for configurable pages in configurable countries. 1182.8k](/packages/leuchtfeuer-locate)[netresearch/contexts Multi-channel content visibility for TYPO3 - by Netresearch 1117.4k1](/packages/netresearch-contexts) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)