bug-1341: Restrict to 1 login per 5 seconds

1 files changed, 9 insertions, 3 deletions

diff --git a/www/index.php b/www/index.php
index e6fc06a..2247b68 100644
--- a/www/index.php
+++ b/www/index.php
@@ -191,7 +191,9 @@ require_once('../includes/notary.inc.php');
 		$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
 						`password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
 		$res = mysql_query($query);
-		if(mysql_num_rows($res) > 0)
+		$query = "SELECT 1 FROM `users` WHERE `email`='$email' and (UNIX_TIMESTAMP(`lastLoginAttempt`) < UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - 5 or `lastLoginAttempt` is NULL)" ;
+		$rateLimit = mysql_num_rows(mysql_query($query)) > 0;
+		if(mysql_num_rows($res) > 0 && $rateLimit)
 		{
 			$_SESSION['profile'] = "";
 			unset($_SESSION['profile']);
@@ -231,13 +233,17 @@ require_once('../includes/notary.inc.php');
 				header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
 			}
 			exit;
+		} else if($rateLimit){
+			$query = "update `users` set `lastLoginAttempt`=CURRENT_TIMESTAMP WHERE `email`='$email'";
+			mysql_query($query);
 		}
 
 		$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
 						`password`=password('$pword')) and `verified`=0 and `deleted`=0";
 		$res = mysql_query($query);
-		if(mysql_num_rows($res) <= 0)
-		{
+		if(!$rateLimit) {
+			$_SESSION['_config']['errmsg'] = _("You hit the login rate limit of 1 login per 5 seconds.");
+		} else if(mysql_num_rows($res) <= 0) {
 			$_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
 		} else {
 			$_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");