-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed Login Counter Reset Triggered by Found User #683
Comments
…ser in develop branch.
I think failed-login-count and last-login-failed should renamed as user-not-found-count and last-user-not-found. Here for example: These functions can be added: /**
* Increments the user not found counter
*/
public static function incrementUserNotFoundCounter(){
Session::set('user-not-found-count', Session::get('user-not-found-count') + 1);
Session::set('last-user-not-found', time());
}
/**
* Resets the user not found counter to 0
*/
public static function resetUserNotFoundCounter(){
Session::set('user-not-found-count', 0);
Session::set('last-user-not-found', '');
} And as you suggested, // check if that user exists. We don't give back a cause in the feedback to avoid giving an attacker details.
// brute force attack mitigation: reset failed login counter because of found user
if (!$result){
// brute force attack mitigation: set session failed login count and last failed login for users not found
self::incrementUserNotFoundCounter();
//Orginally username is wrong but we won't give any specific detail.
Session::add('feedback_negative', Text::get('FEEDBACK_USERNAME_OR_PASSWORD_WRONG'));
return false;
} And before return: //Reset the user not found counter.
self::resetUserNotFoundCounter(); Why do I renamed. Because login failed is too general name for a code. Furthermore, mysql version of login failed can also renamed as failed-password, but I don't think it is urgent. In order to keep them seperate I renamed only user not found control. |
@mcanatalay I agree; IMO, renaming those methods makes the code easier to read and clarifies the functions purpose. |
Oh well also upper most if statement should be changed as, if (Session::get('user-not-found-count') >= 3 AND (Session::get('last-user-not-found') > (time() - 30))){
Session::add('feedback_negative', Text::get('FEEDBACK_LOGIN_FAILED_3_TIMES'));
return false;
} |
…ce code readability Renamed failed-login-count to user-not-found-count for to enhance code readability These changes are in reference to issue panique#683
This has been fixed by merging of pull request #684 ! :) Thanks for your excellent contributions! |
The failed login counter can be reset by attempting to login with a valid username. The login attempt count is reset when a valid user is found, even if authentication fails for the valid user. The if/else block on lines 96-105 of /application/model/LoginModel.php appears to be the source of the issue.
The text was updated successfully, but these errors were encountered: