Skip to content
Permalink
Browse files

Fixed issue #14043: Improvement in IP blocking after failed login att…

…empts

* Improved blocking of failed login-attempts

Record new attempts only when IP is not already blocked. This prevents endless blocking if user occasionally tries to login again.

* Reset failed login counter after sucessful login

and remove a line of dead code
  • Loading branch information
weberhofer authored and c-schmitz committed Nov 19, 2019
1 parent c6e53e1 commit 1bd2f1bb4c62274944f02977ba317d3cd1e08428
Showing with 19 additions and 17 deletions.
  1. +2 −1 application/core/LSUserIdentity.php
  2. +17 −16 application/models/FailedLoginAttempt.php
@@ -82,9 +82,10 @@ public function authenticate()
// Perform postlogin
regenerateCSRFToken();
$this->postLogin();
// Reset counter after successful login
FailedLoginAttempt::model()->deleteAttempts();
} else {
// Log a failed attempt
$userHostAddress = getIPAddress();
FailedLoginAttempt::model()->addAttempt();
regenerateCSRFToken();
App()->session->regenerateID(); // Handled on login by Yii
@@ -97,29 +97,30 @@ public function cleanOutOldAttempts()
}
/**
* Creates an attempt
* Records an failed login-attempt if IP is not already locked out
*
* @access public
* @return true
*/
public function addAttempt()
{
$timestamp = date("Y-m-d H:i:s");
$ip = substr(getIPAddress(), 0, 40);
$row = $this->findByAttributes(array('ip' => $ip));
if ($row !== null) {
$row->number_attempts = $row->number_attempts + 1;
$row->last_attempt = $timestamp;
$row->save();
} else {
$record = new FailedLoginAttempt;
$record->ip = $ip;
$record->number_attempts = 1;
$record->last_attempt = $timestamp;
$record->save();
if (!$this->isLockedOut()) {
$timestamp = date("Y-m-d H:i:s");
$ip = substr(getIPAddress(), 0, 40);
$row = $this->findByAttributes(array('ip' => $ip));
if ($row !== null) {
$row->number_attempts = $row->number_attempts + 1;
$row->last_attempt = $timestamp;
$row->save();
} else {
$record = new FailedLoginAttempt;
$record->ip = $ip;
$record->number_attempts = 1;
$record->last_attempt = $timestamp;
$record->save();
}
}
return true;
}
}

0 comments on commit 1bd2f1b

Please sign in to comment.
You can’t perform that action at this time.