[wolfcms] r353 committed - Added / improved delay on failed login feature. By default denies acce...

5 views

Skip to first unread message

wol...@googlecode.com

unread,

Dec 20, 2010, 4:11:55 PM12/20/10

to wolfcms...@googlegroups.com

Revision: 353
Author: martij...@gmail.com
Date: Mon Dec 20 13:10:50 2010
Log: Added / improved delay on failed login feature. By default denies
access for 30 seconds for each (real) failed login attempt.
http://code.google.com/p/wolfcms/source/detail?r=353

Modified:
/trunk/wolf/app/models/AuthUser.php

=======================================
--- /trunk/wolf/app/models/AuthUser.php Sun Nov 21 08:51:40 2010
+++ /trunk/wolf/app/models/AuthUser.php Mon Dec 20 13:10:50 2010
@@ -28,11 +28,12 @@
*
*/
class AuthUser {
- const SESSION_KEY = 'wolf_auth_user';
- const COOKIE_KEY = 'wolf_auth_user';
- const COOKIE_LIFE = 1800; // 30 minutes
- const ALLOW_LOGIN_WITH_EMAIL = false;
- const DELAY_ON_INVALID_LOGIN = true;
+ const SESSION_KEY = 'wolf_auth_user';
+ const COOKIE_KEY = 'wolf_auth_user';
+ const COOKIE_LIFE = 1800; // 30 minutes
+ const ALLOW_LOGIN_WITH_EMAIL = false;
+ const DELAY_ON_INVALID_LOGIN = true;
+ const DELAY_ONCE_EVERY = 30; // 30 seconds

static protected $is_logged_in = false;
static protected $user_id = false;
@@ -194,11 +195,26 @@

$user = User::findBy('username', $username);

+ if (self::DELAY_ON_INVALID_LOGIN && $user->failure_count > 0) {
+ $last = explode(' ', $user->last_failure);
+ $date = explode('-', $last[0]);
+ $hours = explode(':', $last[1]);
+
+ $last = mktime($hours[0], $hours[1], $hours[2], $date[1],
$date[2], $date[0]);
+ // thirty (by default) second delay for every failed attempt
+ $now = time() - (self::DELAY_ONCE_EVERY *
$user->failure_count);
+
+ if ($last > $now) {
+ return false;
+ }
+ }
+
if ( ! $user instanceof User && self::ALLOW_LOGIN_WITH_EMAIL)
$user = User::findBy('email', $username);

if ($user instanceof User && (false === $validate_password ||
self::validatePassword($user, $password))) {
$user->last_login = date('Y-m-d H:i:s');
+ $user->failure_count = 0;
$user->save();

if ($set_cookie) {
@@ -219,14 +235,6 @@
$user->save();
}

- if (self::DELAY_ON_INVALID_LOGIN) {
- if ( !
isset($_SESSION[self::SESSION_KEY.'_invalid_logins']))
- $_SESSION[self::SESSION_KEY.'_invalid_logins'] = 1;
- else
- ++$_SESSION[self::SESSION_KEY.'_invalid_logins'];
-
- sleep(max(0,
min($_SESSION[self::SESSION_KEY.'_invalid_logins'],
(ini_get('max_execution_time') - 1))));
- }
return false;
}
}

Reply all

Reply to author

Forward

0 new messages