public UserLoginForm::validateAuthentication(array &$form, FormStateInterface $form_state)
Checks supplied username/password against local users table.
If successful, $form_state->get('uid') is set to the matching user ID.
File
- core/modules/user/src/Form/UserLoginForm.php, line 161
Class
- UserLoginForm
- Provides a user login form.
Namespace
Drupal\user\Form
Code
public function validateAuthentication(array &$form, FormStateInterface $form_state) { $password = trim($form_state->getValue('pass')); $flood_config = $this->config('user.flood'); if (!$form_state->isValueEmpty('name') && strlen($password) > 0) { // Do not allow any login from the current user's IP if the limit has been // reached. Default is 50 failed attempts allowed in one hour. This is // independent of the per-user limit to catch attempts from one IP to log // in to many different user accounts. We have a reasonably high limit // since there may be only one apparent IP for all users at an institution. if (!$this->flood->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) { $form_state->set('flood_control_triggered', 'ip'); return; } $accounts = $this->userStorage->loadByProperties(array('name' => $form_state->getValue('name'), 'status' => 1)); $account = reset($accounts); if ($account) { if ($flood_config->get('uid_only')) { // Register flood events based on the uid only, so they apply for any // IP address. This is the most secure option. $identifier = $account->id(); } else { // The default identifier is a combination of uid and IP address. This // is less secure but more resistant to denial-of-service attacks that // could lock out all users with public user names. $identifier = $account->id() . '-' . $this->getRequest()->getClientIP(); } $form_state->set('flood_control_user_identifier', $identifier); // Don't allow login if the limit for this user has been reached. // Default is to allow 5 failed attempts every 6 hours. if (!$this->flood->isAllowed('user.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) { $form_state->set('flood_control_triggered', 'user'); return; } } // We are not limited by flood control, so try to authenticate. // Store $uid in form state as a flag for self::validateFinal(). $uid = $this->userAuth->authenticate($form_state->getValue('name'), $password); $form_state->set('uid', $uid); } }
Please login to continue.