Index: trunk/phase3/includes/api/ApiLogin.php |
— | — | @@ -37,16 +37,16 @@ |
38 | 38 | class ApiLogin extends ApiBase { |
39 | 39 | |
40 | 40 | /** |
41 | | - * The amount of time a user must wait after submitting |
| 41 | + * Time (in seconds) a user must wait after submitting |
42 | 42 | * a bad login (will be multiplied by the THROTTLE_FACTOR for each bad attempt) |
43 | 43 | */ |
44 | | - const THROTTLE_TIME = 10; |
| 44 | + const THROTTLE_TIME = 1; |
45 | 45 | |
46 | 46 | /** |
47 | 47 | * The factor by which the wait-time in between authentication |
48 | 48 | * attempts is increased every failed attempt. |
49 | 49 | */ |
50 | | - const THROTTLE_FACTOR = 1.5; |
| 50 | + const THROTTLE_FACTOR = 2; |
51 | 51 | |
52 | 52 | /** |
53 | 53 | * The maximum number of failed logins after which the wait increase stops. |
— | — | @@ -160,10 +160,11 @@ |
161 | 161 | $val['count'] = 1 + $val['count']; |
162 | 162 | } |
163 | 163 | |
164 | | - $delay = ApiLogin::calculateDelay($val); |
| 164 | + $delay = ApiLogin::calculateDelay($val['count']); |
165 | 165 | |
166 | 166 | $wgMemc->delete($key); |
167 | | - $wgMemc->add( $key, $val, $delay ); |
| 167 | + // Cache expiration should be the maximum timeout - to prevent a "try and wait" attack |
| 168 | + $wgMemc->add( $key, $val, ApiLogin::calculateDelay(ApiLogin::THOTTLE_MAX_COUNT) ); |
168 | 169 | |
169 | 170 | return $delay; |
170 | 171 | } |
— | — | @@ -178,8 +179,8 @@ |
179 | 180 | |
180 | 181 | $val = $wgMemc->get($this->getMemCacheKey()); |
181 | 182 | |
182 | | - $elapse = (time() - $val['lastReqTime']) / 1000; // in seconds |
183 | | - $canRetryIn = ApiLogin::calculateDelay($val) - $elapse; |
| 183 | + $elapse = (time() - $val['lastReqTime']); // in seconds |
| 184 | + $canRetryIn = ApiLogin::calculateDelay($val['count']) - $elapse; |
184 | 185 | |
185 | 186 | return $canRetryIn < 0 ? 0 : $canRetryIn; |
186 | 187 | } |
— | — | @@ -188,9 +189,9 @@ |
189 | 190 | * Based on the number of previously attempted logins, returns |
190 | 191 | * the delay (in seconds) when the next login attempt will be allowed. |
191 | 192 | */ |
192 | | - private static function calculateDelay($val) { |
| 193 | + private static function calculateDelay($count) { |
193 | 194 | // Defensive programming |
194 | | - $count = $val['count']; |
| 195 | + $count = intval($count); |
195 | 196 | $count = $count < 1 ? 1 : $count; |
196 | 197 | $count = $count > self::THOTTLE_MAX_COUNT ? self::THOTTLE_MAX_COUNT : $count; |
197 | 198 | |