function UserAuthenticationController::floodControl

Same name in other branches
  1. 9 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::floodControl()
  2. 8.9.x core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::floodControl()
  3. 10 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::floodControl()

Enforces flood control for the current login request.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The current request.

string $username: The user name sent for login credentials.

1 call to UserAuthenticationController::floodControl()
UserAuthenticationController::login in core/modules/user/src/Controller/UserAuthenticationController.php
Logs in a user.

File

core/modules/user/src/Controller/UserAuthenticationController.php, line 389

Class

UserAuthenticationController
Provides controllers for login, login status and logout via HTTP requests.

Namespace

Drupal\user\Controller

Code

protected function floodControl(Request $request, $username) {
    $flood_config = $this->config('user.flood');
    if (!$this->userFloodControl
        ->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
        throw new AccessDeniedHttpException('Access is blocked because of IP based flood prevention.', NULL, Response::HTTP_TOO_MANY_REQUESTS);
    }
    if ($identifier = $this->getLoginFloodIdentifier($request, $username)) {
        // Don't allow login if the limit for this user has been reached.
        // Default is to allow 5 failed attempts every 6 hours.
        if (!$this->userFloodControl
            ->isAllowed('user.http_login', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
            if ($flood_config->get('uid_only')) {
                $error_message = sprintf('There have been more than %s failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.', $flood_config->get('user_limit'));
            }
            else {
                $error_message = 'Too many failed login attempts from your IP address. This IP address is temporarily blocked.';
            }
            throw new AccessDeniedHttpException($error_message, NULL, Response::HTTP_TOO_MANY_REQUESTS);
        }
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.