From 7ad5d9f5be6a9c60218930e13d9c7b2e5f5cd082 Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Tue, 9 Aug 2022 23:12:37 +0200
Subject: [PATCH] [Security] Adding info where login attempts are stored

---
 rate_limiter.rst | 2 ++
 security.rst     | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/rate_limiter.rst b/rate_limiter.rst
index c468025dc17..a99c01191af 100644
--- a/rate_limiter.rst
+++ b/rate_limiter.rst
@@ -360,6 +360,8 @@ the :class:`Symfony\\Component\\RateLimiter\\Reservation` object returned by the
         }
     }
 
+.. _rate-limiter-storage:
+
 Storing Rate Limiter State
 --------------------------
 
diff --git a/security.rst b/security.rst
index e253dc68013..583f5e19f9a 100644
--- a/security.rst
+++ b/security.rst
@@ -1462,6 +1462,10 @@ You must enable this using the ``login_throttling`` setting:
 
     The ``login_throttling.interval`` option was introduced in Symfony 5.3.
 
+Internally, Symfony uses the :doc:`Rate Limiter component </rate_limiter>`
+which by default uses Symfony's cache to store the previous login attempts.
+However, you can implement a :ref:`custom storage <rate-limiter-storage>`.
+
 Login attempts are limited on ``max_attempts`` (default: 5)
 failed requests for ``IP address + username`` and ``5 * max_attempts``
 failed requests for ``IP address``. The second limit protects against an