FSN#39980 Inlog brute force protection (hardcoded settings)

svn path=/Website/branches/v2016.3/; revision=33264
2017-03-27 09:48:22 +00:00
parent e9cfac0201
commit 8d469ab32e
2 changed files with 77 additions and 1 deletions
--- a/APPL/FAC/fac_verify.inc
+++ b/APPL/FAC/fac_verify.inc
@@ -1492,7 +1492,7 @@ function DumpCollection(pCollection, title)
        var line = "<tr><td>" + pCollection.key(i); // + " type: " + typeof pCollection(i) + " cons: " + pCollection(i).constructor
        if (typeof pCollection(i) != "object" || pCollection(i) === null || !pCollection.HasKeys)
        {
-            line += "</td><td>" + Server.HTMLEncode(String(pCollection(i)))
+            line += "</td><td>" + Server.HTMLEncode(String(pCollection(i))).replace(/\n/g, "<br>");
        }
        else
        {
--- a/APPL/Shared/Login.inc
+++ b/APPL/Shared/Login.inc
@@ -556,6 +556,64 @@ function tryLogin(username, wachtwoord, params)
    if (username.indexOf("\\") > -1)
        username = username.split("\\")[1]; // strip domain name

+    // Brute force protection
+    S_login_attempts = 5;            // daarboven lockout
+    S_login_lockout_delay = 0.2;     // zoveel seconde * 2^attempts
+    S_login_lockout_delayfactor = 2; // De basis van de delay-groei
+    S_login_lockout_expire = 15;     // zoveel minuten
+
+    var lockout_name = customerId + "_LOGINATTEMPTS";
+    var dtExpire = new Date();
+    dtExpire.setMinutes(dtExpire.getMinutes() - S_login_lockout_expire);
+
+    Application.Lock();
+    {
+        var lockout = myJSON.parse(Application(lockout_name) || "[]");
+        var found = 0;
+        for (var i = 0; i < lockout.length; i++)
+        {
+            var lockdata = lockout[i];
+            if (lockdata.lastdate < dtExpire) // Als laatste fout poging 15 minuten geleden is vergeten we alles
+            {
+                lockout.splice(i, 1); // verwijderen
+                i--;
+                continue;
+            }
+            if (lockdata.username == username.toLowerCase())
+            {
+                found = true;
+                lockdata.count ++;
+                lockdata.lastdate = new Date();
+            }
+        }
+        if (!found)
+        {
+            lockdata = { username: username.toLowerCase(),
+                         count: 1,
+                         firstdate: new Date(),
+                         lastdate: new Date()
+                       }
+            lockout.push(lockdata);
+        }
+        Application(lockout_name) = JSON.stringify(lockout).replace(/\{/g, "\n{");
+    }
+    Application.UnLock();
+
+    if (lockdata.count > S_login_attempts)
+    {
+        var dtRetry = new Date();
+        dtRetry.setMinutes(dtRetry.getMinutes() + S_login_lockout_expire);
+        login_fail_reason = "To many failed login attempts for {0}.\nPlease wait until {1} before trying again.".format(username, toISODateTimeString(dtRetry));
+        return false;
+    }
+    if (lockdata.count > 1)
+    {
+        var oSLNKDWF = new ActiveXObject("SLNKDWF.About");
+        // maximaal 80 seconde slapen, anders ASP-timeout
+        var sleepsec = Math.min(80, S_login_lockout_delay * Math.pow(S_login_lockout_delayfactor, lockdata.count - 1));
+        oSLNKDWF.Sleep(1000 * sleepsec);
+    }
+
    var logins = [];
    if (S("login_use_email"))
    {
@@ -618,6 +676,24 @@ function tryLogin(username, wachtwoord, params)
        /* global */ otp_user_key = oRs("prs_perslid_key").Value;

    oRs.Close();
+
+    if (user_key > 0)
+    {   // Success! Wis eventuele lockout
+        Application.Lock();
+        var lockout = myJSON.parse(Application(lockout_name) || "[]");
+        for (var i = 0; i < lockout.length; i++)
+        {
+            var lockdata = lockout[i];
+            if (lockdata.username == username.toLowerCase())
+            {
+                lockout.splice(i, 1); // verwijderen
+                i--;
+            }
+        }
+        Application(lockout_name) = JSON.stringify(lockout);
+        Application.UnLock();
+    }
+
    return true;
 }