Rate limite for Password reset

[samuraiohelson]

How can i develop a rate limit for a password reset function?

[coudot]

What is missing in current implementation? What do you want to add?

[samuraiohelson]

You told me at #653 , that it only works for SMS/Email reset.

I would like to have it to work at Password reset Function, I mean, in the function password change, if someone fails more than X times the old password, the system must block this user or IP for a certain period

[coudot]

Ok, so it is for password change feature, not password reset.

Most of the time, the LDAP directory will block the account. But we can indeed maybe use rate limit here too. Just call rate limit method when old password is verified.

[samuraiohelson]

Can you help me with the code?

[coudot]

Not for the moment, we do this on our spare time.

It this need is for an organization, you can ask for professional services: https://ltb-project.org/professionalservices.html

[samuraiohelson]

i solved the problem...just add this lines, on the file, change.php, before the "# Check password strength" Code:

    if ( $result === "" )  {

        # Rebind as Manager if needed
        if ( $who_change_password == "manager" ) {
            $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
        }

    }
}



    **##############Start Set rate Limit#########################
    if ( $use_ratelimit ) {
        if ( ! allowed_rate($login,$_SERVER[$client_ip_header],$rrl_config) ) {
            $result = "throttle";
            error_log("Credentials - $login locked, to much attempts");
        }
    }
    ##############End Set rate Limit#########################**




}
}
}

}

#==============================================================================
# Check password strength
#==============================================================================
if ( $result === "" ) {
    $result = check_password_strength( $newpassword, $oldpassword, $pwd_policy_config, $login, $entry );
}

[artlog]

working on it.