From 2dee57fd43ebe1cf1f43fb0161cdd5f072eeaa63 Mon Sep 17 00:00:00 2001
From: Nils Adermann <naderman@naderman.de>
Date: Fri, 10 Jun 2011 12:02:59 +0200
Subject: [ticket/9992] Adding a limit on login attempts per IP.

A new table was created to save all failed login attempts with
corresponding information on username, ip and useragent. By default
the limit is 50 login attempts within 6 hours per IP. The limit is
relatively high to avoid big problems on sites behind a reverse
proxy that don't receive the forwarded-for value as REMOTE_ADDR but
see all users as coming from the same IP address. But if these
users run into problems a special forwarded-for option is available
to limit logins by forwarded-for value instead of ip.

PHPBB3-9992
---
 phpBB/includes/session.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'phpBB/includes/session.php')

diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php
index ceb22c197c..69369ff72d 100644
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@@ -1005,6 +1005,10 @@ class session
 				include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx);
 			}
 			phpbb_captcha_factory::garbage_collect($config['captcha_plugin']);
+
+			$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
+				WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
+			$db->sql_query($sql);
 		}
 
 		return;
-- 
cgit v1.2.1