From dc4bc35464d7d8fe0802853aac9f02b4070e290f Mon Sep 17 00:00:00 2001
From: Imran Hussain <imranh@sucs.org>
Date: Wed, 22 Dec 2021 22:02:17 +0000
Subject: [PATCH] Fix some ban logic to be nicer to legit people

---
 public/index.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/public/index.php b/public/index.php
index b58b500..93e4e1b 100755
--- a/public/index.php
+++ b/public/index.php
@@ -35,8 +35,8 @@ $ipBan_result = $DB_CON->query("SELECT * FROM sessions WHERE ipaddr='${_SERVER["
 $ipBan_details = $ipBan_result->fetchArray();
 
 // if their last login attempt was less than 30 mins ago
-// 30 mins to really punish ban avoiders 
-if ($ipBan_details["lastfailedlogintime"] <= strtotime("-30 minutes")) {
+// 30 mins to really punish ban avoiders
+if ( $ipBan_details["id"] !== $SESSIONID && $ipBan_details["lastfailedlogintime"] >= strtotime("-30 minutes") ) {
 	$RATELIMITED = true;
 }
 
@@ -55,7 +55,8 @@ if ( $details["id"] === $SESSIONID && !$RATELIMITED) {
 	if ($details["iss_username"] !== null) {
 		$ISS_LOGIN = true;
 	}
-	if ($details["lastfailedlogintime"] <= strtotime("-10 minutes")) {
+	// every 10 minutes give people not clearing their cookies 1 more go
+	if ($details["failedlogincount"] >= 3 && $details["lastfailedlogintime"] <= strtotime("-10 minutes")) {
 		$details["failedlogincount"] = 2;
 	}
 	if ($details["failedlogincount"] >= 3) {
@@ -95,6 +96,9 @@ if ( isset($_POST["username"]) && isset($_POST["password"]) && !$RATELIMITED ) {
 		//do stuff for not authd peeps
 		$details["failedlogincount"] = $details["failedlogincount"] + 1;
 		$DB_CON->exec("UPDATE sessions SET failedlogincount=${details['failedlogincount']}, lastfailedlogintime=strftime('%s','now') WHERE id='${SESSIONID}'");
+		if ($details["failedlogincount"] >= 3) {
+			$RATELIMITED = true;
+		}
 	}
 
 } elseif ( isset($_COOKIE["sucssite_session"]) && !$RATELIMITED) {
-- 
GitLab