Commit 8fe32126 authored by Imran Hussain's avatar Imran Hussain
Browse files

Add IP address based rate limiting as well

parent 4fb0af28
......@@ -29,13 +29,24 @@ $SESSIONID = session_id();
// otherwise set them up
require "../lib/db.php";
// Check if they have just cleared their cookie/session id and are trying to bypass the rate limiting
// best we can do is IP ratelimit people
$ipBan_result = $DB_CON->query("SELECT * FROM sessions WHERE ipaddr='${_SERVER["REMOTE_ADDR"]}' ORDER BY lastfailedlogintime DESC LIMIT 1");
$ipBan_details = $ipBan_result->fetchArray();
// if their last login attempt was less than 30 mins ago
// 30 mins to really punish ban avoiders
if ($ipBan_details["lastfailedlogintime"] <= strtotime("-30 minutes")) {
$RATELIMITED = true;
}
$result = $DB_CON->query("SELECT * FROM sessions WHERE id='${SESSIONID}'");
$details = $result->fetchArray();
// if there's an entry then load that data otherwise
// otherwise make an entry
if ( $details["id"] === $SESSIONID ) {
if ( $details["id"] === $SESSIONID && !$RATELIMITED) {
//var_dump($details);
//echo time();
if ($details["sucs_username"] !== null) {
......@@ -86,7 +97,7 @@ if ( isset($_POST["username"]) && isset($_POST["password"]) && !$RATELIMITED ) {
$DB_CON->exec("UPDATE sessions SET failedlogincount=${details['failedlogincount']}, lastfailedlogintime=strftime('%s','now') WHERE id='${SESSIONID}'");
}
} elseif ( isset($_COOKIE["sucssite_session"]) ) {
} elseif ( isset($_COOKIE["sucssite_session"]) && !$RATELIMITED) {
// found a sucssite_session
$legacySessionID = $_COOKIE["sucssite_session"];
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment