Adds rate limiting to the login page

2024-12-07 15:38:13 +02:00 · 2024-12-07 15:38:13 +02:00 · f549940249
parent fee0616ca4
commit f549940249
1 changed files with 44 additions and 40 deletions
--- a/app/pages/login.php
+++ b/app/pages/login.php
@ -22,49 +22,53 @@ try {
    $dbWeb = connectDB($config);

    if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
-        $username = $_POST['username'];
-        $password = $_POST['password'];
+        try {
+            $username = $_POST['username'];
+            $password = $_POST['password'];

-        // login successful
-        if ( $userObject->login($username, $password) ) {
-            // if remember_me is checked, max out the session
-            if (isset($_POST['remember_me'])) {
-                // 30*24*60*60 = 30 days
-                $cookie_lifetime = 30 * 24 * 60 * 60;
-                $setcookie_lifetime = time() + 30 * 24 * 60 * 60;
-                $gc_maxlifetime = 30 * 24 * 60 * 60;
+            // login successful
+            if ( $userObject->login($username, $password) ) {
+                // if remember_me is checked, max out the session
+                if (isset($_POST['remember_me'])) {
+                    // 30*24*60*60 = 30 days
+                    $cookie_lifetime = 30 * 24 * 60 * 60;
+                    $setcookie_lifetime = time() + 30 * 24 * 60 * 60;
+                    $gc_maxlifetime = 30 * 24 * 60 * 60;
+                } else {
+                    // 0 - session end on browser close
+                    // 1440 - 24 minutes (default)
+                    $cookie_lifetime = 0;
+                    $setcookie_lifetime = 0;
+                    $gc_maxlifetime = 1440;
+                }
+
+                // set session lifetime and cookies
+                setcookie('username', $username, [
+                    'expires'	=> $setcookie_lifetime,
+                    'path'		=> $config['folder'],
+                    'domain'	=> $config['domain'],
+                    'secure'	=> isset($_SERVER['HTTPS']),
+                    'httponly'	=> true,
+                    'samesite'	=> 'Strict'
+                ]);
+
+                // redirect to index
+                $_SESSION['notice'] = "Login successful";
+                $user_id = $userObject->getUserId($username)[0]['id'];
+                $logObject->insertLog($user_id, "Login: User \"$username\" logged in. IP: $user_IP", 'user');
+                header('Location: ' . htmlspecialchars($app_root));
+                exit();
+
+            // login failed
            } else {
-                // 0 - session end on browser close
-                // 1440 - 24 minutes (default)
-                $cookie_lifetime = 0;
-                $setcookie_lifetime = 0;
-                $gc_maxlifetime = 1440;
+                $_SESSION['error'] = "Login failed.";
+                $user_id = $userObject->getUserId($username)[0]['id'];
+                $logObject->insertLog($user_id, "Login: Failed login attempt for user \"$username\". IP: $user_IP", 'user');
+                header('Location: ' . htmlspecialchars($app_root));
+                exit();
            }
-
-            // set session lifetime and cookies
-            setcookie('username', $username, [
-                'expires'	=> $setcookie_lifetime,
-                'path'		=> $config['folder'],
-                'domain'	=> $config['domain'],
-                'secure'	=> isset($_SERVER['HTTPS']),
-                'httponly'	=> true,
-                'samesite'	=> 'Strict'
-            ]);
-
-            // redirect to index
-            $_SESSION['notice'] = "Login successful";
-            $user_id = $userObject->getUserId($username)[0]['id'];
-            $logObject->insertLog($user_id, "Login: User \"$username\" logged in. IP: $user_IP", 'user');
-            header('Location: ' . htmlspecialchars($app_root));
-            exit();
-
-        // login failed
-        } else {
-            $_SESSION['error'] = "Login failed.";
-            $user_id = $userObject->getUserId($username)[0]['id'];
-            $logObject->insertLog($user_id, "Login: Failed login attempt for user \"$username\". IP: $user_IP", 'user');
-            header('Location: ' . htmlspecialchars($app_root));
-            exit();
+        } catch (Exception $e) {
+            $error = $e->getMessage();
        }
    }
 } catch (Exception $e) {