Rate Limiting and the Challenge Passage Cookie


I have set a rate limiting rule to challenge after 2 attempts to access our login page. This seems to work and issues a managed challenge, and it drops a cookie for the challenge passage to avoid future challenges. However all it seems to do is reset the counter, and the challenge is once again applied upon a further two attempts.

According to the documentation, it says that “The Challenge Passage does not apply to challenges issued by WAF managed rules. Also, Challenge Passage does not apply to rate limiting rules unless the rate limit is configured to issue a challenge.” I believe my scenario falls under the second scenario, as we are issuing a challenge. Am I missing something?

The login API call is an ajax POST if that makes any difference.

Thanks in advance

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.