From 30a576df06bb54be56a70b6fbb0ff6678f37bdf0 Mon Sep 17 00:00:00 2001 From: REJack Date: Sat, 14 May 2016 13:33:23 +0200 Subject: [PATCH] fixed fatal flaw on `update_login_attempts` (#133) - changed `last_login_attempt` value to `Y-m-d H:i:s` from `Y-m-d H:0:0` - changed `last_login_attempt`-check to check every x minute based on config var (`max_login_attempt_per_minutes`) - added optional `last_login_attempt` update on login attempt (`update_last_login_attempt`) - added config var `max_login_attempt_per_minutes` - added config var `update_last_login_attempt` - fixed config var info for `max_login_attempt` (`20` to `10`) --- application/config/aauth.php | 6 +++++- application/libraries/Aauth.php | 8 ++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index b2a7080..e904b3e 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -51,7 +51,9 @@ defined('BASEPATH') OR exit('No direct script access allowed'); | ['totp_only_on_ip_change'] TOTP only on IP Change | ['totp_reset_over_reset_password'] TOTP reset over reset Password | -| ['max_login_attempt'] Login attempts time interval (default 20 times in one hour) +| ['max_login_attempt'] Login attempts time interval (default 10 times in one hour) +| ['max_login_attempt_per_minutes'] Max Login attempts per Minute (default 5) +| ['update_last_login_attempt'] Update last Login attempt on login (default false) | | ['login_with_name'] Login Identificator, if TRUE username needed to login else email address. | @@ -109,6 +111,8 @@ $config_aauth["default"] = array( 'totp_reset_over_reset_password' => false, 'max_login_attempt' => 10, + 'max_login_attempt_per_minutes' => 5, + 'update_last_login_attempt' => false, 'login_with_name' => false, diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 2ae7432..0d47fee 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -640,15 +640,19 @@ class Aauth { $data = array(); - if ( strtotime($row->last_login_attempt) == strtotime(date("Y-m-d H:0:0"))) { + if (strtotime($row->last_login_attempt) > strtotime($this->config_vars['max_login_attempt_per_minutes'])) { $data['login_attempts'] = $row->login_attempts + 1; + if($this->config_vars['update_last_login_attempt']){ + $data['last_login_attempt'] = date("Y-m-d H:i:s"); + } + $query = $this->aauth_db->where('id', $user_id); $this->aauth_db->update($this->config_vars['users'], $data); } else { - $data['last_login_attempt'] = date("Y-m-d H:0:0"); + $data['last_login_attempt'] = date("Y-m-d H:i:s"); $data['login_attempts'] = 1; $this->aauth_db->where('id', $user_id);