private function AuthFail($uid, $username)
{
$this->AuthResult = false;
// Change session id to fight attacks on the session
sses_regenerate_id(true);
// Log authentication attempt
ulLog::Log('auth-fail', $username, ulUtils::GetRemoteIP(false));
// Let us check for brute forcing attempts
// See if the username is being brute forced
if ($uid !== false && $uid != NULL && UL_BF_USER_LOCKOUT > 0) {
// Get how many seconds ago did this user log in successfully
$last_login_rel = ulLog::GetUserLastLoginAgo($username);
if ($last_login_rel === false) {
$bf_window = UL_BF_WINDOW;
} else {
$bf_window = min($last_login_rel, UL_BF_WINDOW);
}
$failed_attempts = ulLog::GetFrequencyForUser($username, 'auth-fail', $bf_window);
if ($failed_attempts >= UL_BF_USER_ATTEMPTS) {
// Okay, we know there have been at least UL_BF_USER_ATTEMPTS unsuccessful login attempts,
// in the past $bf_window seconds, zero sucessfull logins since then.
$this->Backend->BlockUser($uid, UL_BF_USER_LOCKOUT);
}
}
// See if an IP is brute forcing
if (UL_BF_IP_LOCKOUT > 0) {
// Get how many seconds ago did this user log in successfully
$ip = ulUtils::GetRemoteIP(false);
$last_login_rel = ulLog::GetIpLastLoginAgo($ip);
if ($last_login_rel === false) {
$bf_window = UL_BF_WINDOW;
} else {
$bf_window = min($last_login_rel, UL_BF_WINDOW);
}
$failed_attempts = ulLog::GetFrequencyForIp($ip, 'auth-fail', $bf_window);
if ($failed_attempts >= UL_BF_IP_ATTEMPTS) {
// Okay, we know there have been at least UL_BF_IP_ATTEMPTS unsuccessful login attempts,
// in the past $bf_window seconds, zero sucessfull logins since then.
ulIpBlocker::SetBlock($ip, UL_BF_IP_LOCKOUT);
}
}
if (is_callable($this->LoginFailCallback)) {
$callback = $this->LoginFailCallback;
$callback($uid, $username, $this);
}
}
