Jump to content

login throttle api


Frank Vèssia
 Share

Recommended Posts

Session Login Throttle itself doesn't have hookable functions for this, as you can see from it's code.

You could hook into login() method of Session, though, but even then only thing you'd be able to check is whether allowLogin($name) returns "true" or "false". There's no way to say why this happens, ie. whether it was caused by Session Login Throttle, just that this particular user isn't allowed to login right now.

Session Login Throttle allowLogin() is the method you'd need to work with here, but that being non-hookable and private makes things a bit complicated..  :)

Only way to achieve this at the moment, as far as I can see, is by a custom module hooking before login() method of Session and checking if local allowLogin() method returns "true" or "false".. and based on that either saving that value somewhere so you can use it in your form, redirecting user to another location (error page) or directly outputting an error message.

  • Like 1
Link to comment
Share on other sites

Funny thing is I can't even get LoginThrottle to work as there's a bug/logik that won't save the attempts to DB, well it does but they get deleted immediately afterwards :) I filed a issue on github. https://github.com/ryancramerdesign/ProcessWire/issues/198

Back to your issue. You don't need to do anything if you use custom login form.

Regarding the code in SessionLoginThrottle. When there's 3 failed attempts within the defined seconds limit it does:

...
if(wire('process') == 'ProcessLogin') parent::error($error);
    else throw new WireException($error); // ensures the error can't be missed in unknown API usage
...

Which means if you don't use ProcessLogin to login, it will throw an Exception not an notice!

You know you also can render a login form using

echo $modules->get("ProcessLogin")->execute();

But this will also result in a Exception thrown, as it's not really the ProcessLogin process running.

  • Like 3
Link to comment
Share on other sites

  • 5 months later...

And when the WireException is thrown, how should I handle that in a custom login form?

I now get an error 500 and  this in the error log, when giving a wrong password to my custom login module:

2013-12-14 00:59:31     guest   http://localhost/mysite/members/ Error:  Exception: Please wait at least 60 seconds before attempting another login. (in /Library/WebServer/Documents/mysite/wire/modules/Session/SessionLoginThrottle/SessionLoginThrottle.module line 99)
2013-12-14 01:01:28     guest   http://localhost/mysite/members/ Error:  Call to a member function isLoggedin() on a non-object (line 5 of /Library/WebServer/Documents/mysite/site/templates/member.php)
Link to comment
Share on other sites

  • 8 months later...

I have also the login throttle included in my custom login in form, but it should only work if your are entering the same username with different passwords. I you are entering always a different username and a different password it seems that try and catch method wouldnt count the false logins.

Here es the part of the code of the login form.

try{  
     $u = $session->login($username, $pass); 
     if($u) {
     $pages->uncache($user); // make sure it doesn't get user from cache
     $langID = $users->get($u->id)->language->id; // now load the user page
     $profileUrl = $pages->get(1084)->localUrl($langID);

     // user is logged in, get rid of tmp_pass
     $u->of(false);
     $u->tmp_pass = '';
     $u->save();
     // now redirect to the profile edit page
     $session->redirect($profileUrl);
      
     }
      else {
     $error1 = "1";          
     $matcherror = __("pw und name stimmen nicht überein");
     }
} catch(WireException $e){ // in case of multiple false login (throttle login)
    $error1 = "1";
    $matcherror = $e->getMessage();
}

Question: Does try and catch method only works if you are entering the same value in the username field and compare it with the password??

I only got the messages "to wait until xx seconds before next login" if I entered the same username more times. But with different usernames it shows me always that the password and the username doesnt match message (without the time message).

Best regards Jürgen

Link to comment
Share on other sites

Question: Does try and catch method only works if you are entering the same value in the username field and compare it with the password??

Yes, it's stores the amount of attemps the time of the last attempt and the name of the username.

This prevents brute force attacks.

Link to comment
Share on other sites

Thanks Martijn for your answere!

But:

This prevents brute force attacks.

Attackers often try to user different usernames and passwords and hope that one combination is true. In this case a lots of requests will be send to the server and the server will be busy too.

Doesnt it make more sense to create the time limit of next login in any case of false entries to prevent the "bombing" of  the server and not only if the username is the same and only the password changes?

Best regards

Link to comment
Share on other sites

I know with the IP-Settings. But I am little bit aware of it because if people from f.e. the same company try to login and they use the same host -> this could be a problem.

Anyway: the chance that this should be happen is marginal.

Thanks

Link to comment
Share on other sites

Either throttle by IP or not. There's no intelligent filter, which can determine, if the current IP want to harm your site.

If you still want to deny a mass bombing you could maybe duplicate/fork the SessionLoginThrottle module and only use this second module to filter by IP, but set the limit higher. It won't block some false remembered passwords from company clerks that way, but blocks mass spam attacks.

Link to comment
Share on other sites

  • 1 year later...

I catch the login throttle messages and pass them to a session variable which is displayed on the login page:

		// login user
		try {
		$u = $session->login($username, $pass);
		}
		catch(Exception $e) {
			$session->logout(); // without this line the user will be logged in although the exception is thrown
			$session->login_error = $e->getMessage();
			$session->redirect($pages->get('/login/')->url);
		}

Strange thing is that without the $session->logout(), my login page will show the error message that is thrown by the login throttle but still login the user. Is this intended behaviour?

  • Like 3
Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...