Fixed issue #14043: Improvement in IP blocking after failed login att…

…empts * Improved blocking of failed login-attempts Record new attempts only when IP is not already blocked. This prevents endless blocking if user occasionally tries to login again. * Reset failed login counter after sucessful login and remove a line of dead code
LimeSurvey · Nov 19, 2019 · 1bd2f1b · 1bd2f1b
1 parent c6e53e1
commit 1bd2f1b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 17 deletions.
diff --git a/application/core/LSUserIdentity.php b/application/core/LSUserIdentity.php
@@ -82,9 +82,10 @@ public function authenticate()
             // Perform postlogin
             regenerateCSRFToken();
             $this->postLogin();
+            // Reset counter after successful login
+            FailedLoginAttempt::model()->deleteAttempts();
         } else {
             // Log a failed attempt
-            $userHostAddress = getIPAddress();
             FailedLoginAttempt::model()->addAttempt();
             regenerateCSRFToken();
             App()->session->regenerateID(); // Handled on login by Yii

diff --git a/application/models/FailedLoginAttempt.php b/application/models/FailedLoginAttempt.php
@@ -97,29 +97,30 @@ public function cleanOutOldAttempts()
     }
 
     /**
-     * Creates an attempt
+     * Records an failed login-attempt if IP is not already locked out
      *
      * @access public
      * @return true
      */
     public function addAttempt()
     {
-        $timestamp = date("Y-m-d H:i:s");
-        $ip = substr(getIPAddress(), 0, 40);
-        $row = $this->findByAttributes(array('ip' => $ip));
-
-        if ($row !== null) {
-            $row->number_attempts = $row->number_attempts + 1;
-            $row->last_attempt = $timestamp;
-            $row->save();
-        } else {
-            $record = new FailedLoginAttempt;
-            $record->ip = $ip;
-            $record->number_attempts = 1;
-            $record->last_attempt = $timestamp;
-            $record->save();
+        if (!$this->isLockedOut()) {
+            $timestamp = date("Y-m-d H:i:s");
+            $ip = substr(getIPAddress(), 0, 40);
+            $row = $this->findByAttributes(array('ip' => $ip));
+
+            if ($row !== null) {
+                $row->number_attempts = $row->number_attempts + 1;
+                $row->last_attempt = $timestamp;
+                $row->save();
+            } else {
+                $record = new FailedLoginAttempt;
+                $record->ip = $ip;
+                $record->number_attempts = 1;
+                $record->last_attempt = $timestamp;
+                $record->save();
+            }
         }
-
         return true;
     }
 }