Add an expiration (setting) for blocked IPs and usernames

Please note that also the user-facing message shown isn't very clear:

Too many failed login attempts from your IP address. This IP address is temporarily blocked.

It might or might not be wanted to tell the user for how long he's blocked?

Let's also discuss this and the way we should go here.

The flood system is a little confusing on expiration - there is no need for an additional setting to specifically dictate expiration as these are handled by the limit + window parameters for IP and Username. In simple terms the "expiration" is the "time window", and it's automatic.

For logging into a Drupal site, there are two flood identifiers - IP and IP+Username. As set out in the config form, both have a limit number and a time window.

On failed login, an event is registered for IP and possibly IP+Username (depending on if it is available ie. the user entered a valid username).

Also during login, the IP and IP+Username is checked to see if "Limit" number of attempts have happened inside "Time window".

If so many events have happened inside window, they are blocked. If not, they are allowed.

As such the expiration is dictated by the user - if they try enough to be blocked, and then don't try again until window expires for enough events that they no longer hit the limit, they are unblocked. But if continue to register new blocked events, they will continue to be blocked with a near infinite time being blocked.

Hence, Flood Control module to be able to manually unblock a user if they contact you about it. Otherwise, they need to wait at least "window" time from the first attempt to be allowed back in automatically. Expiry of events is automatic.

So, using the default from Drupal Core:
https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/user/...

ip_limit: 50
ip_window: 3600
user_limit: 5
user_window: 21600

If a user attempts 6 bad sign-ins with a recognised username inside 6 hours, they are blocked for 6 hours from the first attempt. Unless of course they just keep on trying, at which point block expires 6 hours after they stop trying (or really 6 hours from the 5th previous attempt after stopping).

For an IP address it's the same except for different limit and window, plus they'd be using multiple or unrecognised usernames.

Pretty simple eh? Anyway, no need for an expiration setting as it's already built in. It's just not a set expiration, it's a sliding window.

Thanks for the clarifications @ELC! Great!

So I'd say it's just a thing of adding documentation to the user-facing UI to explain that? Should we combine all that information into 💬 Unclear what time is mentioned... Needs review ?

Are the changes from 💬 Unclear what time is mentioned... Needs review adequate? If so, this issue can be closed off.

Alternatively, a much better expiation could be added to the hook_help for the settings page.