Is there a way to limit incorrect logins in Moodle, say 5 attemps and your blocked for 30 mins.. etc
En resposta a David Price
Este comentario no foro foi retirado
O contido desta publicación do foro eliminouse e xa non pode acceder a el.
I agree. We are interested in the same. Have you received any suggestions?
En resposta a John Sanga
Este comentario no foro foi retirado
O contido desta publicación do foro eliminouse e xa non pode acceder a el.
As far as I know, there's no way to do that without modifying the login code (and I'm not aware of anyone doing something like that so far).
Saludos, Iñaki.
you can limit it, but not under time, because the value is added to the session, so you can limit the login over time if you modify the session time 
but it affects over all site browsing because the session would be destroyed faster like online banking.
to limit the number, in lib/moodlelib.php function:
function update_login_count() {
global $SESSION;
$max_logins = 10; //change it to whatever you like
if (empty($SESSION->logincount)) {
$SESSION->logincount = 1;
} else {
$SESSION->logincount++;
}
if ($SESSION->logincount > $max_logins) {
unset($SESSION->wantsurl);
print_error('errortoomanylogins');
}
}
to limit the number, in lib/moodlelib.php function:
function update_login_count() {
global $SESSION;
$max_logins = 10; //change it to whatever you like
if (empty($SESSION->logincount)) {
$SESSION->logincount = 1;
} else {
$SESSION->logincount++;
}
if ($SESSION->logincount > $max_logins) {
unset($SESSION->wantsurl);
print_error('errortoomanylogins');
}
}
Storing this information in the session is unreliable -- it is easily circumvented by deleting (or simply not using) the session cookie. For example, it would not work against many scripted brute-force attempts.
To do this reliably, the login count should be stored in the database, associated with either the user that they are trying to log in as, or the IP address that they are coming from. (Of course, associating it with the user may convert an attempted-login attack into a DoS attack. And using the IP address doesn't protect against distributed attempts.)
To do this reliably, the login count should be stored in the database, associated with either the user that they are trying to log in as, or the IP address that they are coming from. (Of course, associating it with the user may convert an attempted-login attack into a DoS attack. And using the IP address doesn't protect against distributed attempts.)
Moodle does log failed logins in the database. Surely that is how the features that lets you notify admins if there are too many failed login attempts works.
Anyway, look at the existing code, before you start re-inventing everything from scratch. There should already be some stuff to build on.
Anyway, look at the existing code, before you start re-inventing everything from scratch. There should already be some stuff to build on.