From 8fe321269b370538bcf694429d9fc7ff69e88348 Mon Sep 17 00:00:00 2001 From: Imran Hussain Date: Wed, 22 Dec 2021 19:21:58 +0000 Subject: [PATCH] Add IP address based rate limiting as well --- public/index.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/public/index.php b/public/index.php index 68b6085..b58b500 100755 --- a/public/index.php +++ b/public/index.php @@ -29,13 +29,24 @@ $SESSIONID = session_id(); // otherwise set them up require "../lib/db.php"; +// Check if they have just cleared their cookie/session id and are trying to bypass the rate limiting +// best we can do is IP ratelimit people +$ipBan_result = $DB_CON->query("SELECT * FROM sessions WHERE ipaddr='${_SERVER["REMOTE_ADDR"]}' ORDER BY lastfailedlogintime DESC LIMIT 1"); +$ipBan_details = $ipBan_result->fetchArray(); + +// if their last login attempt was less than 30 mins ago +// 30 mins to really punish ban avoiders +if ($ipBan_details["lastfailedlogintime"] <= strtotime("-30 minutes")) { + $RATELIMITED = true; +} + $result = $DB_CON->query("SELECT * FROM sessions WHERE id='${SESSIONID}'"); $details = $result->fetchArray(); // if there's an entry then load that data otherwise // otherwise make an entry -if ( $details["id"] === $SESSIONID ) { +if ( $details["id"] === $SESSIONID && !$RATELIMITED) { //var_dump($details); //echo time(); if ($details["sucs_username"] !== null) { @@ -86,7 +97,7 @@ if ( isset($_POST["username"]) && isset($_POST["password"]) && !$RATELIMITED ) { $DB_CON->exec("UPDATE sessions SET failedlogincount=${details['failedlogincount']}, lastfailedlogintime=strftime('%s','now') WHERE id='${SESSIONID}'"); } -} elseif ( isset($_COOKIE["sucssite_session"]) ) { +} elseif ( isset($_COOKIE["sucssite_session"]) && !$RATELIMITED) { // found a sucssite_session $legacySessionID = $_COOKIE["sucssite_session"]; -- GitLab