All geek questions in one place

Preventing Brute-Force attacks when authenticating a user in Laravel

Can Laravel Authenticate Users with Conditions to Prevent Brute Force Attacks?

This answer for PHP suggests adding two columns to your database ( TimeOfLastFailedLogin and NumberOfFailedAttempts ), and then check these values ​​for every login attempt.

Here is the Laravel syntax for authenticating a user with conditions:

 if (Auth::attempt(array('email' => $email, 'password' => $password, 'active' => 1))) { // The user is active, not suspended, and exists. }

Can condition parameters be used to check the number of attempts for a certain period of time? For example, less than 3 requests in the last 60 seconds.

+5
source share
2 answers

I know this is an old question, but since it has proven itself on Google, I would like to clarify that the ThrottlesLogins trait has existed since Laravel 5.1 and prevents brute force attacks.

It is included in the Auth \ LoginController by default through the AuthenticatesUser property.

Docs: https://laravel.com/docs/5.6/authentication#login-throttling

Example default behavior (see login method): https://github.com/laravel/framework/blob/5.6/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php

So, if you use the default loginController account that comes with Laravel, then the login processing will be done automatically.

+1
source

You can create something simple, like the class below, to help you prevent this:

 class Login { public function attempt($credentials) { if ( ! $user = User::where('email' => $credentials['email'])->first()) { //throw new Exception user not found } $user->login_attempts++; if ($user->login_attempts > 2) { if (Carbon::now()->diffInSeconds($user->last_login_attempt) < 60) { //trow new Exception to wait a while } $user->login_attempts = 0; } if ( ! Auth::attempt($credentials)) { $user->last_login_attempt = Carbon::now(); $user->save(); //trow new Exception wrong password } $user->login_attempts = 0; $user->save(); return true; } }

Or you can go with a package like Sentry , which controls throttling for you. Sentry is an open source.

+9
source

Source: https://habr.com/ru/post/1203337/

More articles:


All Articles