You can't simply reset a global variable as you are doing in the first
example, as it will be reset on every request. Also, I'm not sure what
you're trying to achieve with the cache example, but that code won't force
a redirect for 5 seconds (and you don't want to have just a single cache
key -- you would need one per user). Anyway, you shouldn't rely on the
session, as a malicious user could simply start new sessions to keep making
attempts. Instead, you would have to keep track of the user ID and the
number of attempts via some other means (e.g., the database or the cache).
Anthony
On Wednesday, April 22, 2015 at 11:20:37 AM UTC-4, 黄祥 wrote:
>
> thank you so much, anthony, the session is not counted anymore when
> refresh the login page.
> i want to lock failed user login which tried 3 times, redirect to another
> pages for several times (5 sec in example below), after that time is
> fulfilled reset the counted login attempt. tried using variable but return
> an error (reference before assignment), tried using session (no error
> occured but the result is not expected (i think session has it's own expire
> time) ). how can i achieve it using web2py?
> e.g.
> """
> login_attempts = 1
>
> def login_attempts(form):
> #login_attempts = 1
> if login_attempts >= 3 :
> test = cache.ram('login_attempts', lambda: login_attempts, time_expire = 5)
> if test:
> redirect(URL('default', 'test') )
> else:
> login_attempts = 0
> #response.flash = login_attempts
> else :
> login_attempts += 1
> """
>
> def login_attempts(form):
> session.login_attempts = (session.login_attempts or 0) + 1
> if session.login_attempts >= 3 :
> if cache.ram('login_attempts', lambda: session.login_attempts, time_expire
> = 5):
> redirect(URL('default', 'test') )
> else:
> session.login_attempts = 0
> #session.forget(response)
>
> auth.settings.login_onfail.append(login_attempts)
>
> thanks and best regards,
> stifan
>
> On Wednesday, April 22, 2015 at 8:51:57 PM UTC+7, Anthony wrote:
>>
>> You shouldn't be calling the callback function when setting the callback
>> -- just put the function itself in the list -- web2py will call it at the
>> appropriate point. Also, like the other Auth callback settings,
>> login_onfail is a list, so you should append to it.
>>
>> Instead of:
>>
>> auth.settings.login_onfail = login_attempts()
>>
>> it should be:
>>
>> auth.settings.login_onfail.append(login_attempts)
>>
>> Anthony
>>
>> On Wednesday, April 22, 2015 at 9:33:32 AM UTC-4, 黄祥 wrote:
>>>
>>> it seems that the refresh login page, is count as login_onfail and
>>> login_onvalidation in web2py default user login form.
>>> e.g.
>>> *models/db.py*
>>> def login_attempts():
>>> session.login_attempts = (session.login_attempts or 0) + 1
>>> if session.login_attempts >= 3 :
>>> #cache.ram('login_attempts', lambda: session.login_attempts, time_expire
>>> = 5)
>>> response.flash = session.login_attempts
>>>
>>> #auth.settings.login_onfail = login_attempts()
>>> auth.settings.login_onvalidation = [login_attempts()]
>>>
>>> *views/default/user.html add response toolbar*
>>> {{=response.toolbar()}}
>>>
>>> 1. when i hit refresh https://127.0.0.1/test/default/user/login, the
>>> session is added by 1
>>> 2. when i try to input the wrong login, the sessions added by 2 (1 added
>>> by failure, n 1 added by refreshing the login form, i guess)
>>>
>>> trying to use login_onfail and login_onvalidation got the same result.
>>> is it normal behaviour, or i have the wrong steps?
>>>
>>> thanks and best regards,
>>> stifan
>>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
