-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

diff -ruN a/trytond/res/user.py b/trytond/res/user.py
- --- a/trytond/res/user.py	2018-11-22 09:21:59.077931014 +0000
+++ b/trytond/res/user.py	2018-11-22 09:21:04.423129737 +0000
@@ -20,6 +20,7 @@
 from sql.conditionals import Coalesce
 from sql.aggregate import Count
 from sql.operators import Concat
+from random import randint
 
 try:
     import bcrypt
@@ -542,12 +543,15 @@
         '''
         Return user id if password matches
         '''
- -        LoginAttempt = Pool().get('res.user.login.attempt')
- -        count = LoginAttempt.count(login)
- -        if count > config.getint('session', 'max_attempt', default=5):
- -            LoginAttempt.add(login)
- -            raise RateLimitException()
- -        Transaction().atexit(time.sleep, 2 ** count - 1)
+        login_max_delay = config.getint('session', 'login_max_delay')
+
+        #Use a random delay (default between 1 and login_max_delay)
+        #If the param is not set, it defaults to 3
+
+        if (not login_max_delay) or (login_max_delay < 1):
+            login_max_delay = 3
+            delay = randint(1,login_max_delay)
+
         for method in config.get(
                 'session', 'authentications', default='password').split(','):
             try:
@@ -557,10 +561,11 @@
                 continue
             user_id = func(login, parameters)
             if user_id:
- -                LoginAttempt.remove(login)
                 return user_id
- -        LoginAttempt.add(login)
- -
+            else:
+                logger.warning('Invalid login from : %s', login)
+                time.sleep(delay)
+    
     @classmethod
     def _login_password(cls, login, parameters):
         if 'password' not in parameters:
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErL/ID8iRYxxoqo3IwBXhrgCYkZkFAlv2hRUACgkQwBXhrgCY
kZkTRA//ZA552vqmEfFiQLQMTDk6iZCqF9Fhz4x2qbuVka5GC6iTphwkFwZLoclU
Mf7azdQq/2OjRMeCx4OYKo3Ia1DorQbIeeXvflrpxQCMoqE36xXTdJRQIIsg/BUU
AtahhiZRAN1HHMJYAwfF51rTdcMeyTTJrMWRivueAFdch0laT4zZieuQurIq/MPi
smDpqV7X0KGuhZ9fHWAsFlf9MDdQR8h7uzaQj+GyRmpBs9q12llRx5CnMrxV8vQM
N4VtdvJbA/NU11sg72yMXAeUkGU8Uq2mX4zetlbD9Fwe1QNeIWH3jzqLgExLcEGy
bBiENZ2/QcnepeYrmKt1loZBBvnIx171s06kWqL0GwO3d3LxrtUojxCO0wzZOb4o
3xq9j8+STcC62Zc+YpgstAVIRCuxUUXh1jLG1XvDifwCZiWy37nuecyyO46j8P+A
BkX5A42z/voPvArDfM1pw/0YIKhn9XxbuPaPpbbNiufnt4wgwU3ovHjcpOUMnbZe
2N/TMen+MxMJcxTQKn2K2k7RPmZ3layIafCasimFj5TVyv2FDjxHJgi98Qz4hWYD
6UyfTRUgJDDnkDV37o8zhP1Eb8wH9i4gjocYiYEurYecJi7O3ffPR5GdvCPGXSoZ
B2madoISWX+vIPisXkLFksplawn/3KwxiMzLSxsA8BWG27yTUr8=
=lTkW
-----END PGP SIGNATURE-----