public/index.php

@@ -36,7 +36,7 @@ $ipBan_details = $ipBan_result->fetchArray();
 
 // if their last login attempt was less than 30 mins ago
 // 30 mins to really punish ban avoiders
-if ($ipBan_details["lastfailedlogintime"] <= strtotime("-30 minutes")) {
+if ( $ipBan_details["id"] !== $SESSIONID && $ipBan_details["lastfailedlogintime"] >= strtotime("-30 minutes") ) {
 	$RATELIMITED = true;
 }
 
@@ -55,7 +55,8 @@ if ( $details["id"] === $SESSIONID && !$RATELIMITED) {
 	if ($details["iss_username"] !== null) {
 		$ISS_LOGIN = true;
 	}
-	if ($details["lastfailedlogintime"] <= strtotime("-10 minutes")) {
+	// every 10 minutes give people not clearing their cookies 1 more go
+	if ($details["failedlogincount"] >= 3 && $details["lastfailedlogintime"] <= strtotime("-10 minutes")) {
 		$details["failedlogincount"] = 2;
 	}
 	if ($details["failedlogincount"] >= 3) {
@@ -95,6 +96,9 @@ if ( isset($_POST["username"]) && isset($_POST["password"]) && !$RATELIMITED ) {
 		//do stuff for not authd peeps
 		$details["failedlogincount"] = $details["failedlogincount"] + 1;
 		$DB_CON->exec("UPDATE sessions SET failedlogincount=${details['failedlogincount']}, lastfailedlogintime=strftime('%s','now') WHERE id='${SESSIONID}'");
+		if ($details["failedlogincount"] >= 3) {
+			$RATELIMITED = true;
+		}
 	}
 
 } elseif ( isset($_COOKIE["sucssite_session"]) && !$RATELIMITED) {