Laravel notes - add the function of locking accounts after 5 login failures in user-defined login (improve system security)

The login used here is to read foreigners' custom login and registration functions , It's using Laravel8, If you use this online directly , Not very safe. . If it is brutally cracked , It's troublesome to keep trying , There are too many script boys now , The threshold is low , Ordinary people can learn to disgust others in a few days . Here I write a train of thought , I don't know and php Is the mainstream the same . Anyway, I write SpringBoot This idea is used in the project .

First build a users_lock surface

Among them the users_email and users Table correspondence , There is no foreign key relationship , It's equivalent to being independent , The design here is not very good , But I feel that small sites are enough .

Corresponding SQL That's true ：

CREATE TABLE `users_lock` (
  `user_email` varchar(255) NOT NULL,
  `login_num` int(11) DEFAULT 5,
  `last_time` timestamp NULL DEFAULT NULL ON UPDATE CURRENT_TIMESTAMP,
  `lock_time` timestamp NULL DEFAULT NULL,
  PRIMARY KEY (`user_email`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

  Fill in this table when registering , Just fine .

The key is to log in , My logic is like this ：

 public function customLogin(Request $request)
    {
        $request->validate([
            'email' => 'required|email',
            'password' => 'required|min:6|max:128',
            'captcha' => 'required|captcha'
        ]);

        // verification 
        date_default_timezone_set('Asia/Shanghai');
        $userLock = UserLock::find($request['email']);
        if(!$userLock){

            return redirect()->back()->withErrors(' Username or password incorrect ');
        }

        if($userLock['last_time'] < date('Y-m-d H:i:s',strtotime('-5 minute')) && $userLock['login_num'] <= 0){

            $userLock['login_num'] = 5;
            $userLock->save();
        }

        // lock 
        if($userLock['login_num'] <= 0){

            return redirect()->back()->withErrors(' Account lock , Unlock time  ' . $userLock['lock_time']);
        }

        $credentials = $request->only('email', 'password');

        if (Auth::attempt($credentials)) {

            return redirect()->intended('dashboard')
                ->withSuccess('Signed in');
        }

        // frequency 
        $userLock['login_num'] -= 1;
        if($userLock['login_num'] <= 0){

            $userLock['lock_time'] = date('Y-m-d H:i:s',strtotime('+5 minute'));
        }
        $userLock->save();

        return redirect()->back()->withErrors(' Wrong user name or password ');
    }

Logic ：

① First detect users_lock Whether this user exists in , If so, continue , without , Go straight back ;

② Determine whether the number of attempts is 0, If 0, also last_time, Be overdue （ Than the current time -5 Minutes should be small ）, Just count the number of attempts , Reset to 5.

（ There is no way here , If you have conditional friends , It is suggested to use the scheduling thread to do , Every time 5 Run every minute , Or directly use the timer of the database ）

③ When login_time by 0 when , It means that the account has been locked .

④ Use Laravel Of Auth To verify the username and password .

⑤ Login times -5, If the number of logins <=0 Just lock the account , Lock to the current time +5 minute .

here UserLock Class is like this ：

<?php


namespace App\Models;


use Illuminate\Database\Eloquent\Model;

class UserLock extends Model
{
    protected $table = "users_lock";

    protected $primaryKey = 'user_email';

    protected $keyType = 'string';

    public $timestamps = false;
}

It can be used ：