Login bruteforce attack protection

2026-02-20 03:11:26 +01:00 · 2016-10-21 15:44:09 +03:00
parent d10884fc6e
commit 9800b3aeb1
4 changed files with 34 additions and 6 deletions
--- a/config/params.php
+++ b/config/params.php
@@ -7,6 +7,8 @@ $params = [
    'wsURL' => 'ws://192.168.1.111:8081',
    'pushAllID' => '38678',
    'pushAllKey' => '83a29d6a4bb068458d375daaa16039c4',
+    'maxLoginFailCount' => 5,
+    'loginFailTimeout' => 600,
 ];

 return ArrayHelper::merge($params, require 'params-local.php');
--- a/models/LoginForm.php
+++ b/models/LoginForm.php
@@ -53,10 +53,27 @@ class LoginForm extends Model
    public function validatePassword($attribute, $params)
    {
        if (!$this->hasErrors()) {
+            $session = Yii::$app->session;
+
+            // Set timeout for first time if counter exceed
+            if ($session->get('failedLoginCount') >= Yii::$app->params['maxLoginFailCount'] and !$session->has('loginAgainAt')) {
+                $session->set('loginAgainAt', time() + Yii::$app->params['loginFailTimeout']);
+                $session->set('failedLoginCount', 0);
+            }
+
+            if ($session->has('loginAgainAt') and $session->get('loginAgainAt') >= time()) {
+                return $this->addError($attribute, 'Слишком много неудачных попыток. Попробуйте позже');
+            }
+
+            if ($session->has('loginAgainAt') and $session->get('loginAgainAt') <= time()) {
+                $session->remove('loginAgainAt');
+            }
+
            $user = $this->getUser();

            if (!$user || !$user->validatePassword($this->password)) {
                $this->addError($attribute, 'Неверный логин или пароль');
+                $session->set('failedLoginCount', $session->get('failedLoginCount', 0) + 1);
            }
        }
    }
@@ -68,9 +85,12 @@ class LoginForm extends Model
    public function login()
    {
        if ($this->validate()) {
+            // Reset login failure counter
+            Yii::$app->session->set('failedLoginCount', 0);
+
            return Yii::$app->user->login($this->getUser(), $this->rememberMe ? 3600 * 24 * 30 : 0);
        }
-        
+
        return false;
    }

--- a/views/auth/login.php
+++ b/views/auth/login.php
@@ -22,7 +22,6 @@ $fieldOptions2 = [
 ?>

 <div class="login-box">
-    <!-- /.login-logo -->
    <div class="login-box-body">

        <div class="login-logo product-font">
@@ -47,15 +46,12 @@ $fieldOptions2 = [
            <div class="col-xs-8">
                <?= $form->field($model, 'rememberMe')->checkbox() ?>
            </div>
-            <!-- /.col -->
            <div class="col-xs-4">
                <?= Html::submitButton('Войти', ['class' => 'btn btn-primary btn-block btn-flat', 'name' => 'login-button']) ?>
            </div>
-            <!-- /.col -->
        </div>

        <?php ActiveForm::end(); ?>

    </div>
-    <!-- /.login-box-body -->
-</div><!-- /.login-box -->
+</div>
--- a/views/layouts/base.php
+++ b/views/layouts/base.php
@@ -22,11 +22,21 @@ if (isset($this->params['body-class'])) {
 <html lang="<?= Yii::$app->language ?>">
 <head>
    <meta charset="<?= Yii::$app->charset ?>">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
+
    <?= Html::csrfMetaTags() ?>

    <title><?= $this->title ?> - <?= Yii::$app->name ?></title>

+    <meta name="application-name" content="<?= Yii::$app->name ?>">
+    <meta name="theme-color" content="#605CA8">
+
+    <link rel="publisher" href="https://plus.google.com/+AlexSolomaha21">
+    <link rel="me" href="https://plus.google.com/+AlexSolomaha21" type="text/html">
+    <link rel="me" href="mailto:cyanofresh@gmail.com">
+    <link rel="me" href="sms:+380975300688">
+
    <?php $this->head() ?>
 </head>