English 
Español
한국어
print pageHow to lockout a user after failed logins
By default ShadoCMS 7.7.x onwards does not ship with Login Lockout active, that is, the ability to lock a user out for x amount of minutes after x amount of login attempts. This must be implemented on a site by site case, to do this a developer will have to create a custom function making use of the onLogin() event.
The following example is relative to Shado 8.0 onwards only.
You can either download by clicking on the link above or view the code below.
Description: This is sample beforeLogin event handler.
Assign this handler to the beforelogin event of the Users object.
This event handler looks at the loginData structure passed into the
beforelogin event to figure out the number of logins a user is allowed
and how long will the user be locked out for.
The event handler also audits bad logins.
Please modify this login handler to suit your needs.
To use this follow the following steps:
- Assign the beforeLogin handler to the Users event.
Add the attached code to the handler.
Log out of Shado Central and try and log back in with incorrect username/pwd.
You should see appropriate javascript message.
By default you'll see another message after three bad logins.
Change this value in the global variables to 5, and you should see the message after five bad logins.
<!---
File: beforelogin.cfm
Version: 1.0
Date: 28 November 2007
Description: This is sample beforeLogin event handler.
Assign this handler to the beforelogin event of the Users object.
This event handler looks at the loginData structure passed into the
beforelogin event to figure out the number of logins a user is allowed
and how long will the user be locked out for.
The event handler also audits bad logins.
Please modify this login handler to suit your needs.
--->
<!--- Setup variables --->
<cfset stLoginData = arguments.loginData>
<cfset oAudit = application.shado_obj_factory.get("#request.shadoContextRoot#.core.admin.shado_audittrail")>
<cfif not structKeyExists(request.userContext,"failedLoginAttempts")>
<cfset bShowMessage = false>
<cfset request.userContext.failedLoginAttempts = 0>
<cfset request.userContext.allowLoginAfter = now()>
</cfif>
<!--- If login was not successful, figure out increment failed count and setup the time date when the user can next login --->
<cfif NOT stLoginData.loginSuccessful>
<cfset request.userContext.failedLoginAttempts = request.userContext.failedLoginAttempts + 1>
<cfif request.userContext.failedLoginAttempts eq stLoginData.loginAttempts>
<cfset request.userContext.allowLoginAfter = dateAdd("m",stLoginData.loginTimeout,now())>
<cfelse>
<cfset request.userContext.allowLoginAfter = now()>
</cfif>
<!--- Can the user login now? --->
<cfif request.userContext.allowLoginAfter gt now()>
<cfset bShowMessage = true>
</cfif>
<!--- Has the user exceeded the failed login count? --->
<cfif request.userContext.failedLoginAttempts gte stLoginData.loginAttempts>
<cfset bShowMessage = true>
</cfif>
<cfparam name="arguments.password" default="[none passed in]">
<!--- audit the login --->
<cfset oAudit.add(
object = "login",
object_action = "Bad Login",
user_uuid = arguments.userName,
object_uuid = cgi.remote_host,
other_info = "#cgi.remote_host#,#arguments.username#,#arguments.password#",
success = 1,
audit_title = "Bad Login",
dbconnection = arguments.local
)> <!--- pass dbconnection else it doesn't record audit in the database --->
<cfelse>
<cfset bShowMessage = false>
<cfset structDelete(request.userContext,"failedLoginAttempts")>
<cfset structDelete(request.userContext,"allowLoginAfter")>
</cfif>
<!--- Has the user already exceed the login limit? --->
<cfif bShowMessage>
<cfoutput>
<script language="javascript">
<!--
alert('Sorry, but you have used the incorrect Username/Password combination #stLoginData.loginAttempts# times or more\n You will be locked out of the sytem for #stLoginData.loginTimeout# minutes!');
history.back();
//-->
</script>
</cfoutput>
<cfset request.userContext.failedLoginAttempts = 0>
<cfabort>
</cfif>
Comments
There are no comments for this page as yet.
Full RSS
