Brute Force protection
36 views
Skip to first unread message
Crisps
Jun 1, 2009, 7:57:42 PM6/1/09
to Authlogic
I am trying to use the brute force protection, but cannot seem to get
this to work. I know I must be doing something incorrect.
I have a usersession like so
[code]
class UserSession < Authlogic::Session::Base
verify_password_method :is_logon_valid?
consecutive_failed_logins_limit 3
failed_login_ban_for 30
logout_on_timeout true
end
[/code]
And then a logon function like so
[code]
@user_session = UserSession.new(params[:user_session])
if @user_session.being_brute_force_protected?
flash[:notice] = "Too many logon attempts, temporarily locked out"
redirect_to :action => :index
return
end
#Now save the session
if @user_session.save
flash[:notice] = "Login successful!"
redirect_to :action => :secret
else
flash[:notice] = "Login failed!"
redirect_to :action => :index
end
[/code]
the failed login attempt counter in the user record is working fine
and incrementing each time, but the being_brute_force_protected?
always returns true.
This is because attempted_record is always false.
I think I must have to call something on the session before this
feature will work, but I know not what.
It seems to me that the brute_force_protection should be on the user
object, not the session object, and the only way the user object gets
created is after a successful login attempt so I am confused. Any help
would be great.
Thanks.
this to work. I know I must be doing something incorrect.
I have a usersession like so
[code]
class UserSession < Authlogic::Session::Base
verify_password_method :is_logon_valid?
consecutive_failed_logins_limit 3
failed_login_ban_for 30
logout_on_timeout true
end
[/code]
And then a logon function like so
[code]
@user_session = UserSession.new(params[:user_session])
if @user_session.being_brute_force_protected?
flash[:notice] = "Too many logon attempts, temporarily locked out"
redirect_to :action => :index
return
end
#Now save the session
if @user_session.save
flash[:notice] = "Login successful!"
redirect_to :action => :secret
else
flash[:notice] = "Login failed!"
redirect_to :action => :index
end
[/code]
the failed login attempt counter in the user record is working fine
and incrementing each time, but the being_brute_force_protected?
always returns true.
This is because attempted_record is always false.
I think I must have to call something on the session before this
feature will work, but I know not what.
It seems to me that the brute_force_protection should be on the user
object, not the session object, and the only way the user object gets
created is after a successful login attempt so I am confused. Any help
would be great.
Thanks.
Crisps
Jun 3, 2009, 12:20:51 PM6/3/09
to Authlogic
Sorry, that should say
being_brute_force_protected? always returns false.
Thanks,
being_brute_force_protected? always returns false.
Thanks,
Reply all
Reply to author
Forward
0 new messages