summaryrefslogtreecommitdiff
path: root/www
diff options
context:
space:
mode:
authorBenny Baumann <BenBE@geshi.org>2015-03-11 21:15:12 +0100
committerBenny Baumann <BenBE@geshi.org>2015-03-11 21:15:12 +0100
commit06a17c0c971e4de3f04ee44be42cf8e8377b2d31 (patch)
treec825e85c1317bc83768699f19dd874bd2ad27299 /www
parent2d1bdd431380a5388a86a31054447b02abfafd7d (diff)
parent85b24e6a28ed5cf2534a7d5a6039d5560c7f3dbf (diff)
downloadcacert-devel-06a17c0c971e4de3f04ee44be42cf8e8377b2d31.tar.gz
cacert-devel-06a17c0c971e4de3f04ee44be42cf8e8377b2d31.tar.xz
cacert-devel-06a17c0c971e4de3f04ee44be42cf8e8377b2d31.zip
Merge branch 'bug-1341' into testserver-stable
Diffstat (limited to 'www')
-rw-r--r--www/index.php12
1 files changed, 9 insertions, 3 deletions
diff --git a/www/index.php b/www/index.php
index b1efbfe..6baf48b 100644
--- a/www/index.php
+++ b/www/index.php
@@ -198,7 +198,9 @@ require_once('../includes/notary.inc.php');
$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
$res = mysql_query($query);
- if(mysql_num_rows($res) > 0)
+ $query = "SELECT 1 FROM `users` WHERE `email`='$email' and (UNIX_TIMESTAMP(`lastLoginAttempt`) < UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - 5 or `lastLoginAttempt` is NULL)" ;
+ $rateLimit = mysql_num_rows(mysql_query($query)) > 0;
+ if(mysql_num_rows($res) > 0 && $rateLimit)
{
$_SESSION['profile'] = "";
unset($_SESSION['profile']);
@@ -238,13 +240,17 @@ require_once('../includes/notary.inc.php');
header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
}
exit;
+ } else if($rateLimit){
+ $query = "update `users` set `lastLoginAttempt`=CURRENT_TIMESTAMP WHERE `email`='$email'";
+ mysql_query($query);
}
$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=0 and `deleted`=0";
$res = mysql_query($query);
- if(mysql_num_rows($res) <= 0)
- {
+ if(!$rateLimit) {
+ $_SESSION['_config']['errmsg'] = _("You hit the login rate limit of 1 login per 5 seconds.");
+ } else if(mysql_num_rows($res) <= 0) {
$_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
} else {
$_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");