private function AuthFail($uid, $username) { $this->AuthResult = false; // Change session id to fight attacks on the session sses_regenerate_id(true); // Log authentication attempt ulLog::Log('auth-fail', $username, ulUtils::GetRemoteIP(false)); // Let us check for brute forcing attempts // See if the username is being brute forced if ($uid !== false && $uid != NULL && UL_BF_USER_LOCKOUT > 0) { // Get how many seconds ago did this user log in successfully $last_login_rel = ulLog::GetUserLastLoginAgo($username); if ($last_login_rel === false) { $bf_window = UL_BF_WINDOW; } else { $bf_window = min($last_login_rel, UL_BF_WINDOW); } $failed_attempts = ulLog::GetFrequencyForUser($username, 'auth-fail', $bf_window); if ($failed_attempts >= UL_BF_USER_ATTEMPTS) { // Okay, we know there have been at least UL_BF_USER_ATTEMPTS unsuccessful login attempts, // in the past $bf_window seconds, zero sucessfull logins since then. $this->Backend->BlockUser($uid, UL_BF_USER_LOCKOUT); } } // See if an IP is brute forcing if (UL_BF_IP_LOCKOUT > 0) { // Get how many seconds ago did this user log in successfully $ip = ulUtils::GetRemoteIP(false); $last_login_rel = ulLog::GetIpLastLoginAgo($ip); if ($last_login_rel === false) { $bf_window = UL_BF_WINDOW; } else { $bf_window = min($last_login_rel, UL_BF_WINDOW); } $failed_attempts = ulLog::GetFrequencyForIp($ip, 'auth-fail', $bf_window); if ($failed_attempts >= UL_BF_IP_ATTEMPTS) { // Okay, we know there have been at least UL_BF_IP_ATTEMPTS unsuccessful login attempts, // in the past $bf_window seconds, zero sucessfull logins since then. ulIpBlocker::SetBlock($ip, UL_BF_IP_LOCKOUT); } } if (is_callable($this->LoginFailCallback)) { $callback = $this->LoginFailCallback; $callback($uid, $username, $this); } }