UserAuthenticationController::floodControl

protected UserAuthenticationController::floodControl(Request $request, $username)

Enforces flood control for the current login request.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The current request.

string $username: The user name sent for login credentials.

File

core/modules/user/src/Controller/UserAuthenticationController.php, line 293

Class

UserAuthenticationController
Provides controllers for login, login status and logout via HTTP requests.

Namespace

Drupal\user\Controller

Code

protected function floodControl(Request $request, $username) {
  $flood_config = $this->config('user.flood');
  if (!$this->flood->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
    throw new AccessDeniedHttpException('Access is blocked because of IP based flood prevention.', NULL, Response::HTTP_TOO_MANY_REQUESTS);
  }

  if ($identifier = $this->getLoginFloodIdentifier($request, $username)) {
    // Don't allow login if the limit for this user has been reached.
    // Default is to allow 5 failed attempts every 6 hours.
    if (!$this->flood->isAllowed('user.http_login', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
      if ($flood_config->get('uid_only')) {
        $error_message = sprintf('There have been more than %s failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.', $flood_config->get('user_limit'));
      }
      else {
        $error_message = 'Too many failed login attempts from your IP address. This IP address is temporarily blocked.';
      }
      throw new AccessDeniedHttpException($error_message, NULL, Response::HTTP_TOO_MANY_REQUESTS);
    }
  }
}
doc_Drupal
2016-10-29 09:52:17
Comments
Leave a Comment

Please login to continue.