[web2py] Re: Failed login attempt lockout

Wed, 22 Apr 2015 19:32:47 -0700 

Why are you bothering with the cache given that you're already tracking 
login attempts in the auth_user table?

On Wednesday, April 22, 2015 at 9:52:34 PM UTC-4, 黄祥 wrote:
>
> pardon me, still not understood what do you mean with the cache. on my 
> example above yet, i still not sure which one to use, yet your hints, quite 
> clear about database. thank you anthony.
> *e.g. work fine*
> *models/db.py*
> auth = Auth(db)
>
> auth.settings.extra_fields['auth_user']= [
>   Field('Attempts', 'integer') ]
>
> auth.define_tables(username=True, signature=False)
>
> def login_attempts(form):
> username = request.vars.username
> row = db((db.auth_user.username == username ) ).select().first()
> if row is not None:
> db(db.auth_user.id == row.id).update(Attempts = row.Attempts + 1)
> db.auth_event.insert(time_stamp = request.now, 
>  client_ip = request.client, 
>  user_id = row.id, 
>  origin = '%s/%s' % (request.controller, 
>  request.function), 
>  description = '%s login failed' % (row.username) )
> if row.Attempts >= 3:
> redirect(URL('default', 'test') )
> else:
> redirect(URL('default', 'user/login') )
>
> auth.settings.login_onfail.append(login_attempts)
>
> but when tried to combine with cache and banned ip it's not work (no 
> errors occured but the result is not expected)
> *e.g. same code like above just a modification on if conditional*
> if row.Attempts >= 3:
> #BAN_IP_TIME = 60 * 60 * 24 # 1 day
> BAN_IP_TIME = 10
> ban_key = request.client + 'ban'
> if cache.ram(ban_key, lambda: False, BAN_IP_TIME):
> raise HTTP(429, 'IP blocked')                                             
>                                               
>
> # maximum number of fast requests allowed before banned
> MAX_REQUESTS = 3 
> request_key = request.client + 'requests'
> cache.ram(request_key, lambda: 0, 1)
> if cache.ram.increment(request_key) > MAX_REQUESTS:
> cache.ram(ban_key, lambda: True, BAN_IP_TIME)
> redirect(URL('default', 'test') )
>
> ref:
>
> https://groups.google.com/forum/#!searchin/web2py/Hi$2C$20Is$20there$20a$20way$20to$20block$20ip$20address$20if$20there$20are$20more$20no$20of$20requests$20from$20the$20same$20ip$20address%7Csort:relevance/web2py/5OIz8Quu6KY/1JyItKwpsE8J
>
> any idea how to achieve it using web2py?
>
> thanks and best regards,
> stifan
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to