[bruteforce]impossible level, why account "locked" if $timenow > $timeout ? #125

raydonovan opened this Issue Dec 29, 2016 · 0 comments


None yet

1 participant



I don't understand the code above:

                // Calculate when the user would be allowed to login again
                $last_login = $row[ 'last_login' ];
                $last_login = strtotime( $last_login );
                $timeout    = strtotime( "{$last_login} +{$lockout_time} minutes" );
                $timenow    = strtotime( "now" );

                // Check to see if enough time has passed, if it hasn't locked the account
                if( $timenow > $timeout )
                        $account_locked = true;

Why is the current account set as "account_locked=true" if $timenow > $timeout ?
Isn't it suppose to be the opposite way ?
Because if $timenow > $timeout, so the 15 minutes period before authenticate again passed, indeed the account should be set as account_locked=false and authentication come back ?


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment