UserAuthenticationController::getLoginFloodIdentifier

protected UserAuthenticationController::getLoginFloodIdentifier(Request $request, $username)

Gets the login identifier for user login flood control.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The current request.

string $username: The username supplied in login credentials.

Return value

string The login identifier or if the user does not exist an empty string.

File

core/modules/user/src/Controller/UserAuthenticationController.php, line 325

Class

UserAuthenticationController: Provides controllers for login, login status and logout via HTTP requests.

Namespace

Drupal\user\Controller

Code

protected function getLoginFloodIdentifier(Request $request, $username) {
  $flood_config = $this->config('user.flood');
  $accounts = $this->userStorage->loadByProperties(['name' => $username, 'status' => 1]);
  if ($account = reset($accounts)) {
    if ($flood_config->get('uid_only')) {
      // Register flood events based on the uid only, so they apply for any
      // IP address. This is the most secure option.
      $identifier = $account->id();
    }
    else {
      // The default identifier is a combination of uid and IP address. This
      // is less secure but more resistant to denial-of-service attacks that
      // could lock out all users with public user names.
      $identifier = $account->id() . '-' . $request->getClientIp();
    }
    return $identifier;
  }
  return '';
}

Links:

https://api.drupal.org/api/drupal/core%21modules%21user%21src%21Controller%21UserAuthenticationController.php/function/UserAuthenticationController%3A%3AgetLoginFloodIdentifier/8.2.x

doc_Drupal

2025-01-10 15:47:30

Comments