Login behavior

To make the mendix application more secure for a client, I would like to block users or an IP adress after 3 consecutive bad login attempts. This should be default behavior. However the Mendix app does not do this. Does anyone know how to fix the mendix application to block users after 3 consecutive bad login attempts??   Example: Project security is set at production: Login does not get blocked after multiple attempts, but keeps saying bad password: Update (after Mike’s suggestion): Logging statements from local app, where user does not get blocked after several bad login attempts. The failed login counter does not go up:  
2 answers

Hi David,

If you look in the console (I am assuming you are running locally), you should see a message that the user is blocked for a period of time after 3 bad login attempts.  Mendix doesn’t communicate this info via the UI, b/c that would give the user more information than necessary and perhaps help with hacking attempts.  If you look at a user account via the user interface after 3 failed login attempts, you’ll see that the user is blocked (this is an attribute on the user/account entity).

Hope that helps,



I just tried this on a free app.  With the live log open, I tried to login with the wrong password.  Here is what the log showed:

Here is what I saw in the UI:

One note:  the account doesn’t stay blocked for more than a few minutes.  So if you don’t login right away (with a different account), it will not show as blocked.

Another note:  the user never sees a message that he is blocked, only that he entered an invalid username and password

If you don’t see similar behavior, I would file a ticket with Mendix.


Filed a request with Mendix support. This issue is fixed from Mendix Studio Pro version 8.8. onwards. So updated Mendix Studio Pro version to 8.10 and now users do get blocked after 3 bad login attempts. This greatly improves security! Thanks Mendix and Mike for helping to find the solution! 


Mendix support stated:

Starting with Mendix 8.0, users aren't blocked by default when entering an incorrect password. From https://docs.mendix.com/refguide/login-behavior
This was a known issue and was fixed in 8.8 https://docs.mendix.com/releasenotes/studio-pro/8.8
"We now block users after three failed logins in a Mendix Cloud node environment if the app project security is set to Production. (Ticket 95292)"