CC-2789: Prevent brue-force password guessing attacks
- add recaptcha on login page
This commit is contained in:
James
parent
e6f7640c90
commit
f25304bcb7
20 changed files with 2083 additions and 58 deletions
|
|
@ -14,54 +14,67 @@ class LoginController extends Zend_Controller_Action
|
|||
{
|
||||
$this->_redirect('Nowplaying');
|
||||
}
|
||||
|
||||
|
||||
//uses separate layout without a navigation.
|
||||
$this->_helper->layout->setLayout('login');
|
||||
|
||||
$request = $this->getRequest();
|
||||
|
||||
$form = new Application_Form_Login();
|
||||
|
||||
$message = "Please enter your user name and password";
|
||||
|
||||
|
||||
if($request->isPost())
|
||||
{
|
||||
// if the post contains recaptcha field, which means form had recaptcha field.
|
||||
// Hence add the element for validation.
|
||||
if(array_key_exists('recaptcha_response_field', $request->getPost())){
|
||||
$form->addRecaptcha();
|
||||
}
|
||||
if($form->isValid($request->getPost()))
|
||||
{
|
||||
|
||||
$authAdapter = $this->getAuthAdapter();
|
||||
|
||||
//get the username and password from the form
|
||||
$username = $form->getValue('username');
|
||||
$password = $form->getValue('password');
|
||||
if(Application_Model_Subjects::getLoginAttempts($username) >= 3 && $form->getElement('captcha') == NULL){
|
||||
$form->addRecaptcha();
|
||||
}else{
|
||||
$authAdapter = $this->getAuthAdapter();
|
||||
|
||||
//pass to the adapter the submitted username and password
|
||||
$authAdapter->setIdentity($username)
|
||||
->setCredential($password);
|
||||
|
||||
$auth = Zend_Auth::getInstance();
|
||||
$result = $auth->authenticate($authAdapter);
|
||||
|
||||
if($result->isValid())
|
||||
{
|
||||
//all info about this user from the login table omit only the password
|
||||
$userInfo = $authAdapter->getResultRowObject(null, 'password');
|
||||
|
||||
//the default storage is a session with namespace Zend_Auth
|
||||
$authStorage = $auth->getStorage();
|
||||
$authStorage->write($userInfo);
|
||||
|
||||
$tempSess = new Zend_Session_Namespace("referrer");
|
||||
$tempSess->referrer = 'login';
|
||||
|
||||
$this->_redirect('Nowplaying');
|
||||
}
|
||||
else
|
||||
{
|
||||
$message = "Wrong username or password provided. Please try again.";
|
||||
//pass to the adapter the submitted username and password
|
||||
$authAdapter->setIdentity($username)
|
||||
->setCredential($password);
|
||||
|
||||
$auth = Zend_Auth::getInstance();
|
||||
$result = $auth->authenticate($authAdapter);
|
||||
if($result->isValid())
|
||||
{
|
||||
//all info about this user from the login table omit only the password
|
||||
$userInfo = $authAdapter->getResultRowObject(null, 'password');
|
||||
|
||||
//the default storage is a session with namespace Zend_Auth
|
||||
$authStorage = $auth->getStorage();
|
||||
$authStorage->write($userInfo);
|
||||
|
||||
Application_Model_LoginAttempts::resetAttempts($_SERVER['REMOTE_ADDR']);
|
||||
Application_Model_Subjects::resetLoginAttempts($username);
|
||||
|
||||
$tempSess = new Zend_Session_Namespace("referrer");
|
||||
$tempSess->referrer = 'login';
|
||||
|
||||
$this->_redirect('Nowplaying');
|
||||
}
|
||||
else
|
||||
{
|
||||
$message = "Wrong username or password provided. Please try again.";
|
||||
Application_Model_Subjects::increaseLoginAttempts($username);
|
||||
Application_Model_LoginAttempts::increaseAttempts($_SERVER['REMOTE_ADDR']);
|
||||
$form = new Application_Form_Login();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$this->view->message = $message;
|
||||
$this->view->form = $form;
|
||||
$this->view->airtimeVersion = AIRTIME_VERSION;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue