chronon/attempt

此包最新版本(dev-master)没有可用的许可证信息。

CakePHP 插件,用于帮助保护敏感操作免受暴力攻击。

维护者

详细信息

github.com/chronon/Attempt

主页

源代码

安装次数: 3,778

依赖者: 0

建议者: 0

安全: 0

星标: 15

关注者: 4

分支: 9

类型:cakephp-plugin

dev-master 2016-03-22 13:17 UTC

Requires

Unknown License 557dd8241c3f06ae9eec976b746e93f2012353bd

plugincakephplimit

This package is not auto-updated.

Last update: 2024-09-11 11:35:26 UTC

README

一个 CakePHP 2.0 或 2.1 插件,用于帮助保护敏感操作免受暴力攻击。

API

count($action)

返回特定操作的失败尝试次数。

limit($action, $limit = 5)

如果失败尝试次数大于传入的限制,则返回 false。

fail($action, $duration = '+10 minutes')

创建一个计算在限制内的失败尝试,持续时间为传入的持续时间。

reset($action)

删除特定操作的 所有失败尝试。

cleanup()

从数据库中删除所有过期的失败尝试。这应该通过 CakeShell 运行(理想情况下作为 CRON 任务)。

模式

运行 Console/cake schema create --plugin Attempt 或手动创建一个表

CREATE TABLE `attempts` (
  `id` char(36) NOT NULL DEFAULT '',
  `ip` varchar(64) DEFAULT NULL,
  `action` varchar(32) DEFAULT NULL,
  `created` datetime DEFAULT NULL,
  `expires` datetime DEFAULT NULL,
  PRIMARY KEY (`id`),
  KEY `ip` (`ip`,`action`),
  KEY `expires` (`expires`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8

示例实现

<?php
class ExampleController extends AppController {
    
    public $components = array(
        'Attempt.Attempt'
    );
    
    public $loginAttemptLimit = 10;
    public $loginAttemptDuration = '+1 hour';
    
    public function login() {
        // Form submitted?
        if ( $formSubmitted = true ) {
            // All required fields entered?
            if ( $validFormData = true ) {
                // Limit to 10 failed attempts
                if ( $this->Attempt->limit('login', $this->loginAttemptLimit) ) {
                    // Validate user credentials
                    if ( $validCredentials = true ) {
                        // Log user in
                    } else {
                        // Invalid credentials, count as failed attempt for an hour
                        $this->Attempt->fail('login', $this->loginAttemptDuration);
                        $this->Session->setFlash('Unknown user or wrong password');
                    }
                } else {
                    // User exceeded attempt limit
                    // Ideally show a CAPTCHA (ensuring this is not a robot 
                    // without blocking out and frustrating users),
                    // otherwise show error message
                    $this->Session->setFlash('Too many failed attempts!');
                }
            } else {
                // Invalid form data but keep it ambiguous
                $this->Session->setFlash('Unknown user or wrong password');
            }
        }
    }
}

备选实现(简单的管理员登录)

<?php
class UsersController extends AppController {
    
    public $components = array(
        'Security',
        'Attempt.Attempt'
    );
    
    public $loginAttemptLimit = 10;
    public $loginAttemptDuration = '+1 hour';

    public function admin_login() {
        if (empty($this->data)) {
            return;
        }
        // check for repeated login attempts
        if ($this->Attempt->limit('admin_login', $this->loginAttemptLimit)) {
            if ($this->request->is('post')) {
                if ($this->Auth->login()) {
                    // login was successful, redirect to admin menu
                    $this->redirect(array(
                        'controller' => 'users',
                        'action' => 'index',
                        'admin' => true
                    ));
                } else {
                    // increment the attempt counter
                    $this->Attempt->fail('admin_login', $this->loginAttemptDuration);
                    $this->Session->setFlash('Unknown user or wrong password.');
                    return;
                }
            }
        } else {
            // $loginAttemptLimit reached
            $this->Session->setFlash('Login limit exceeded, please try again later.');
        }
    }
}