Add IP address based rate limiting as well

public/index.php

@@ -29,13 +29,24 @@ $SESSIONID = session_id();
 // otherwise set them up
 require "../lib/db.php";
 
+// Check if they have just cleared their cookie/session id and are trying to bypass the rate limiting
+// best we can do is IP ratelimit people
+$ipBan_result = $DB_CON->query("SELECT * FROM sessions WHERE ipaddr='${_SERVER["REMOTE_ADDR"]}' ORDER BY lastfailedlogintime DESC LIMIT 1");
+$ipBan_details = $ipBan_result->fetchArray();
+
+// if their last login attempt was less than 30 mins ago
+// 30 mins to really punish ban avoiders 
+if ($ipBan_details["lastfailedlogintime"] <= strtotime("-30 minutes")) {
+	$RATELIMITED = true;
+}
+
 $result = $DB_CON->query("SELECT * FROM sessions WHERE id='${SESSIONID}'");
 
 $details = $result->fetchArray();
 
 // if there's an entry then load that data otherwise
 // otherwise make an entry
-if ( $details["id"] === $SESSIONID ) {
+if ( $details["id"] === $SESSIONID && !$RATELIMITED) {
 	//var_dump($details);
 	//echo time();
 	if ($details["sucs_username"] !== null) {
@@ -86,7 +97,7 @@ if ( isset($_POST["username"]) && isset($_POST["password"]) && !$RATELIMITED ) {
 		$DB_CON->exec("UPDATE sessions SET failedlogincount=${details['failedlogincount']}, lastfailedlogintime=strftime('%s','now') WHERE id='${SESSIONID}'");
 	}
 
-} elseif ( isset($_COOKIE["sucssite_session"]) ) {
+} elseif ( isset($_COOKIE["sucssite_session"]) && !$RATELIMITED) {
 
 	// found a sucssite_session
 	$legacySessionID = $_COOKIE["sucssite_session"];