login throttle api

[Frank Vèssia]

Hello, it's possible to access at response of login throttle module to show messages on custom login form?

[teppo]

Session Login Throttle itself doesn't have hookable functions for this, as you can see from it's code.

You could hook into login() method of Session, though, but even then only thing you'd be able to check is whether allowLogin($name) returns "true" or "false". There's no way to say why this happens, ie. whether it was caused by Session Login Throttle, just that this particular user isn't allowed to login right now.

Session Login Throttle allowLogin() is the method you'd need to work with here, but that being non-hookable and private makes things a bit complicated.. 

Only way to achieve this at the moment, as far as I can see, is by a custom module hooking before login() method of Session and checking if local allowLogin() method returns "true" or "false".. and based on that either saving that value somewhere so you can use it in your form, redirecting user to another location (error page) or directly outputting an error message.

[Frank Vèssia]

Thanks

[Soma]

Funny thing is I can't even get LoginThrottle to work as there's a bug/logik that won't save the attempts to DB, well it does but they get deleted immediately afterwards I filed a issue on github. https://github.com/ryancramerdesign/ProcessWire/issues/198

Back to your issue. You don't need to do anything if you use custom login form.

Regarding the code in SessionLoginThrottle. When there's 3 failed attempts within the defined seconds limit it does:

...
if(wire('process') == 'ProcessLogin') parent::error($error);
    else throw new WireException($error); // ensures the error can't be missed in unknown API usage
...

Which means if you don't use ProcessLogin to login, it will throw an Exception not an notice!

You know you also can render a login form using

echo $modules->get("ProcessLogin")->execute();

But this will also result in a Exception thrown, as it's not really the ProcessLogin process running.

[lpa]

And when the WireException is thrown, how should I handle that in a custom login form?

I now get an error 500 and  this in the error log, when giving a wrong password to my custom login module:

2013-12-14 00:59:31     guest   http://localhost/mysite/members/ Error:  Exception: Please wait at least 60 seconds before attempting another login. (in /Library/WebServer/Documents/mysite/wire/modules/Session/SessionLoginThrottle/SessionLoginThrottle.module line 99)

2013-12-14 01:01:28     guest   http://localhost/mysite/members/ Error:  Call to a member function isLoggedin() on a non-object (line 5 of /Library/WebServer/Documents/mysite/site/templates/member.php)

[Wanze]

Ipa,

catch the Exception and print out the message, for example:

try {
  // Login
} catch (WireException $e) {
  // Print out message of exception
  echo $e->getMessage();
}

[lpa]

Thanks, I'll try that.

[Juergen]

I have also the login throttle included in my custom login in form, but it should only work if your are entering the same username with different passwords. I you are entering always a different username and a different password it seems that try and catch method wouldnt count the false logins.

Here es the part of the code of the login form.

try{  
     $u = $session->login($username, $pass); 
     if($u) {
     $pages->uncache($user); // make sure it doesn't get user from cache
     $langID = $users->get($u->id)->language->id; // now load the user page
     $profileUrl = $pages->get(1084)->localUrl($langID);

     // user is logged in, get rid of tmp_pass
     $u->of(false);
     $u->tmp_pass = '';
     $u->save();
     // now redirect to the profile edit page
     $session->redirect($profileUrl);
      
     }
      else {
     $error1 = "1";          
     $matcherror = __("pw und name stimmen nicht überein");
     }
} catch(WireException $e){ // in case of multiple false login (throttle login)
    $error1 = "1";
    $matcherror = $e->getMessage();
}

Question: Does try and catch method only works if you are entering the same value in the username field and compare it with the password??

I only got the messages "to wait until xx seconds before next login" if I entered the same username more times. But with different usernames it shows me always that the password and the username doesnt match message (without the time message).

Best regards Jürgen

[Martijn Geerts]

Question: Does try and catch method only works if you are entering the same value in the username field and compare it with the password??

Yes, it's stores the amount of attemps the time of the last attempt and the name of the username.

This prevents brute force attacks.

[Juergen]

Thanks Martijn for your answere!

But:

This prevents brute force attacks.

Attackers often try to user different usernames and passwords and hope that one combination is true. In this case a lots of requests will be send to the server and the server will be busy too.

Doesnt it make more sense to create the time limit of next login in any case of false entries to prevent the "bombing" of  the server and not only if the username is the same and only the password changes?

Best regards

[LostKobrakai]

@Juergen

You can change this behavior in the module's settings. 

[Juergen]

I know with the IP-Settings. But I am little bit aware of it because if people from f.e. the same company try to login and they use the same host -> this could be a problem.

Anyway: the chance that this should be happen is marginal.

Thanks

[LostKobrakai]

Either throttle by IP or not. There's no intelligent filter, which can determine, if the current IP want to harm your site.

If you still want to deny a mass bombing you could maybe duplicate/fork the SessionLoginThrottle module and only use this second module to filter by IP, but set the limit higher. It won't block some false remembered passwords from company clerks that way, but blocks mass spam attacks.

[Juergen]

Thanx Kobra Kai,

i will see whats going on in the "wild out there" and if I will track some "bombing" I will try your advice. At the moment I start only with one throttle login and hope the best

[Martijn Geerts]

Bombing is more of a concern for all your front-end pages

[gebeer]

I catch the login throttle messages and pass them to a session variable which is displayed on the login page:

		// login user
		try {
		$u = $session->login($username, $pass);
		}
		catch(Exception $e) {
			$session->logout(); // without this line the user will be logged in although the exception is thrown
			$session->login_error = $e->getMessage();
			$session->redirect($pages->get('/login/')->url);
		}

Strange thing is that without the $session->logout(), my login page will show the error message that is thrown by the login throttle but still login the user. Is this intended behaviour?

[thetuningspoon]

@gebeer Thanks for that simple and effective solution! 

Note if you are using PW3 with namespaces you must use catch(\Exception $e) instead.

The redirect at the end is optional. For my forms I only redirect on success.