Does anyone have any tips on how to protect the user system against brute force attacks, so that I can disable logging in after 100 failed attempts?
I've tried this code below, but it doesn't work.
def self.authenticate(creds)
username, password = creds['username'], creds['password']
if creds['username'].nil? or creds['username'].empty?
return false
end
# Let's see if there is a user for the given username.
user = self[:username => username]
# Validate the user. Note that while it may seem that the password is
# compared as plain text this is not the case. The bcrypt class
# automatically converts the given password to a bcrypt hash. If these
# hashes are the same the specified password is correct.
if !user.nil? and user.password == password #&& !flash[:fblogout] #user/pass login
return user
else
@datenumber = Time.now.strftime("%Y-%m-%d")
User.where(:username=>username).update(:faillogindatenumber=>@datenumber)
return false
end
end