在 Laravel 中对用户进行身份验证时防止暴力攻击
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26026338/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Preventing Brute-Force Attacks When Authenticating A User in Laravel
提问by Justin
Is it possible to use Laravel's Authenticating A User With Conditionsto prevent brute-force attacks?
是否可以使用 Laravel 的Authenticating A User With Conditions来防止暴力攻击?
This answer for PHP, suggests adding two columns to your database (TimeOfLastFailedLoginand NumberOfFailedAttempts) and then checking against those values on each login attempt.
这个PHP 答案,建议在您的数据库中添加两列(TimeOfLastFailedLogin和NumberOfFailedAttempts),然后在每次登录尝试时检查这些值。
Here is the Laravel syntax to authenticate a user with conditions:
这是使用条件对用户进行身份验证的 Laravel 语法:
if (Auth::attempt(array('email' => $email, 'password' => $password, 'active' => 1)))
{
// The user is active, not suspended, and exists.
}
Is there any way to use the condition parameters to check number of attempts against a specified period of time? E.g., less than 3 requests in the last 60 seconds.
有没有办法使用条件参数来检查指定时间段内的尝试次数?例如,在过去 60 秒内少于 3 个请求。
采纳答案by thephper
I know this is an old question, but as it ranks well on Google I would like to clarify that the trait ThrottlesLogins has been around since Laravel 5.1, and does prevent from brute force attacks.
我知道这是一个老问题,但由于它在 Google 上的排名很好,我想澄清一下,自 Laravel 5.1 以来,ThrottlesLogins 特性一直存在,并且确实可以防止暴力攻击。
It is included in Auth\LoginController per default through the trait AuthenticatesUser.
默认情况下,它通过 AuthenticatesUser 特性包含在 Auth\LoginController 中。
Docs: https://laravel.com/docs/5.6/authentication#login-throttling
文档:https: //laravel.com/docs/5.6/authentication#login-throttling
Example of default behaviour (see method "login"): https://github.com/laravel/framework/blob/5.6/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php
默认行为示例(参见方法“登录”):https: //github.com/laravel/framework/blob/5.6/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php
So if you are using the default loginController that comes with Laravel, then the handling of login throtteling will be done automatically.
因此,如果您使用 Laravel 自带的默认 loginController,那么登录限制的处理将自动完成。
回答by Antonio Carlos Ribeiro
You can create something as simple as the class below to help you prevent that:
您可以创建像下面这样简单的东西来帮助您防止这种情况:
class Login {
public function attempt($credentials)
{
if ( ! $user = User::where('email' => $credentials['email'])->first())
{
//throw new Exception user not found
}
$user->login_attempts++;
if ($user->login_attempts > 2)
{
if (Carbon::now()->diffInSeconds($user->last_login_attempt) < 60)
{
//trow new Exception to wait a while
}
$user->login_attempts = 0;
}
if ( ! Auth::attempt($credentials))
{
$user->last_login_attempt = Carbon::now();
$user->save();
//trow new Exception wrong password
}
$user->login_attempts = 0;
$user->save();
return true;
}
}
Or you can go with a package, like Sentry, which controls throttling for you. Sentry is open source.
或者你可以使用一个包,比如Sentry,它为你控制节流。Sentry 是开源的。
