| Index: trunk/phase3/includes/api/ApiLogin.php |
| — | — | @@ -37,16 +37,16 @@ |
| 38 | 38 | class ApiLogin extends ApiBase { |
| 39 | 39 | |
| 40 | 40 | /** |
| 41 | | - * The amount of time a user must wait after submitting |
| | 41 | + * Time (in seconds) a user must wait after submitting |
| 42 | 42 | * a bad login (will be multiplied by the THROTTLE_FACTOR for each bad attempt) |
| 43 | 43 | */ |
| 44 | | - const THROTTLE_TIME = 10; |
| | 44 | + const THROTTLE_TIME = 1; |
| 45 | 45 | |
| 46 | 46 | /** |
| 47 | 47 | * The factor by which the wait-time in between authentication |
| 48 | 48 | * attempts is increased every failed attempt. |
| 49 | 49 | */ |
| 50 | | - const THROTTLE_FACTOR = 1.5; |
| | 50 | + const THROTTLE_FACTOR = 2; |
| 51 | 51 | |
| 52 | 52 | /** |
| 53 | 53 | * The maximum number of failed logins after which the wait increase stops. |
| — | — | @@ -160,10 +160,11 @@ |
| 161 | 161 | $val['count'] = 1 + $val['count']; |
| 162 | 162 | } |
| 163 | 163 | |
| 164 | | - $delay = ApiLogin::calculateDelay($val); |
| | 164 | + $delay = ApiLogin::calculateDelay($val['count']); |
| 165 | 165 | |
| 166 | 166 | $wgMemc->delete($key); |
| 167 | | - $wgMemc->add( $key, $val, $delay ); |
| | 167 | + // Cache expiration should be the maximum timeout - to prevent a "try and wait" attack |
| | 168 | + $wgMemc->add( $key, $val, ApiLogin::calculateDelay(ApiLogin::THOTTLE_MAX_COUNT) ); |
| 168 | 169 | |
| 169 | 170 | return $delay; |
| 170 | 171 | } |
| — | — | @@ -178,8 +179,8 @@ |
| 179 | 180 | |
| 180 | 181 | $val = $wgMemc->get($this->getMemCacheKey()); |
| 181 | 182 | |
| 182 | | - $elapse = (time() - $val['lastReqTime']) / 1000; // in seconds |
| 183 | | - $canRetryIn = ApiLogin::calculateDelay($val) - $elapse; |
| | 183 | + $elapse = (time() - $val['lastReqTime']); // in seconds |
| | 184 | + $canRetryIn = ApiLogin::calculateDelay($val['count']) - $elapse; |
| 184 | 185 | |
| 185 | 186 | return $canRetryIn < 0 ? 0 : $canRetryIn; |
| 186 | 187 | } |
| — | — | @@ -188,9 +189,9 @@ |
| 189 | 190 | * Based on the number of previously attempted logins, returns |
| 190 | 191 | * the delay (in seconds) when the next login attempt will be allowed. |
| 191 | 192 | */ |
| 192 | | - private static function calculateDelay($val) { |
| | 193 | + private static function calculateDelay($count) { |
| 193 | 194 | // Defensive programming |
| 194 | | - $count = $val['count']; |
| | 195 | + $count = intval($count); |
| 195 | 196 | $count = $count < 1 ? 1 : $count; |
| 196 | 197 | $count = $count > self::THOTTLE_MAX_COUNT ? self::THOTTLE_MAX_COUNT : $count; |
| 197 | 198 | |