You are here

Home » API reference » Services 7.3 » user_resource.inc

function _user_resource_flood_control_precheck in Services 7.3

Emulate native Drupal flood control, phase 1.

This function checks for a flood condition, and determines the identifier for user based flood checks. This is done prior to user authentication.

Parameters

string $username: The name of the user who is attempting to log in.

Return value

array An array containing zero or more of the following keys:

  • flood_control_triggered: either 'user' or 'ip' if a flood condition was detected.
  • flood_control_user_identifier: the identifier to use to register user-based flood events.

See also

_user_resource_flood_control_postcheck().

user_login_authenticate_validate().

1 call to _user_resource_flood_control_precheck()
_user_resource_login in resources/user_resource.inc
Login a user using the specified credentials.

File

resources/user_resource.inc, line 996

Code

function _user_resource_flood_control_precheck($username) {
  $flood_state = array();

  // Do not allow any login from the current user's IP if the limit has been
  // reached. Default is 50 failed attempts allowed in one hour. This is
  // independent of the per-user limit to catch attempts from one IP to log
  // in to many different user accounts.  We have a reasonably high limit
  // since there may be only one apparent IP for all users at an institution.
  if (!flood_is_allowed('failed_login_attempt_ip', variable_get('user_failed_login_ip_limit', 50), variable_get('user_failed_login_ip_window', 3600))) {
    $flood_state['flood_control_triggered'] = 'ip';
  }
  else {
    $account = db_query("SELECT * FROM {users} WHERE name = :name AND status = 1", array(
      ':name' => $username,
    ))
      ->fetchObject();
    if ($account) {
      if (variable_get('user_failed_login_identifier_uid_only', FALSE)) {

        // Register flood events based on the uid only, so they apply for any
        // IP address. This is the most secure option.
        $identifier = $account->uid;
      }
      else {

        // The default identifier is a combination of uid and IP address. This
        // is less secure but more resistant to denial-of-service attacks that
        // could lock out all users with public user names.
        $identifier = $account->uid . '-' . ip_address();
      }
      $flood_state['flood_control_user_identifier'] = $identifier;

      // Don't allow login if the limit for this user has been reached.
      // Default is to allow 5 failed attempts every 6 hours.
      if (!flood_is_allowed('failed_login_attempt_user', variable_get('user_failed_login_user_limit', 5), variable_get('user_failed_login_user_window', 21600), $identifier)) {
        $flood_state['flood_control_triggered'] = 'user';
      }
    }
  }
  return $flood_state;
}