FSN#39980 Inlog brute force protection (hardcoded settings)

svn path=/Website/branches/v2016.3/; revision=33264
2017-03-27 09:48:22 +00:00
parent e9cfac0201
commit 8d469ab32e
2 changed files with 77 additions and 1 deletions
--- a/APPL/FAC/fac_verify.inc
+++ b/APPL/FAC/fac_verify.inc
@@ -1492,7 +1492,7 @@ function DumpCollection(pCollection, title)
        var line = "<tr><td>" + pCollection.key(i); // + " type: " + typeof pCollection(i) + " cons: " + pCollection(i).constructor
        if (typeof pCollection(i) != "object" || pCollection(i) === null || !pCollection.HasKeys)
        {
-            line += "</td><td>" + Server.HTMLEncode(String(pCollection(i)))
+            line += "</td><td>" + Server.HTMLEncode(String(pCollection(i))).replace(/\n/g, "<br>");
        }
        else
        {
--- a/APPL/Shared/Login.inc
+++ b/APPL/Shared/Login.inc
@@ -556,6 +556,64 @@ function tryLogin(username, wachtwoord, params)
    if (username.indexOf("\\") > -1)
        username = username.split("\\")[1]; // strip domain name
    // Brute force protection
    S_login_attempts = 5;            // daarboven lockout
    S_login_lockout_delay = 0.2;     // zoveel seconde * 2^attempts
    S_login_lockout_delayfactor = 2; // De basis van de delay-groei
    S_login_lockout_expire = 15;     // zoveel minuten
    var lockout_name = customerId + "_LOGINATTEMPTS";
    var dtExpire = new Date();
    dtExpire.setMinutes(dtExpire.getMinutes() - S_login_lockout_expire);
    Application.Lock();
    {
        var lockout = myJSON.parse(Application(lockout_name) || "[]");
        var found = 0;
        for (var i = 0; i < lockout.length; i++)
        {
            var lockdata = lockout[i];
            if (lockdata.lastdate < dtExpire) // Als laatste fout poging 15 minuten geleden is vergeten we alles
            {
                lockout.splice(i, 1); // verwijderen
                i--;
                continue;
            }
            if (lockdata.username == username.toLowerCase())
            {
                found = true;
                lockdata.count ++;
                lockdata.lastdate = new Date();
            }
        }
        if (!found)
        {
            lockdata = { username: username.toLowerCase(),
                         count: 1,
                         firstdate: new Date(),
                         lastdate: new Date()
                       }
            lockout.push(lockdata);
        }
        Application(lockout_name) = JSON.stringify(lockout).replace(/\{/g, "\n{");
    }
    Application.UnLock();
    if (lockdata.count > S_login_attempts)
    {
        var dtRetry = new Date();
        dtRetry.setMinutes(dtRetry.getMinutes() + S_login_lockout_expire);
        login_fail_reason = "To many failed login attempts for {0}.\nPlease wait until {1} before trying again.".format(username, toISODateTimeString(dtRetry));
        return false;
    }
    if (lockdata.count > 1)
    {
        var oSLNKDWF = new ActiveXObject("SLNKDWF.About");
        // maximaal 80 seconde slapen, anders ASP-timeout
        var sleepsec = Math.min(80, S_login_lockout_delay * Math.pow(S_login_lockout_delayfactor, lockdata.count - 1));
        oSLNKDWF.Sleep(1000 * sleepsec);
    }
    var logins = [];
    if (S("login_use_email"))
    {
@@ -618,6 +676,24 @@ function tryLogin(username, wachtwoord, params)
        /* global */ otp_user_key = oRs("prs_perslid_key").Value;
    oRs.Close();
    if (user_key > 0)
    {   // Success! Wis eventuele lockout
        Application.Lock();
        var lockout = myJSON.parse(Application(lockout_name) || "[]");
        for (var i = 0; i < lockout.length; i++)
        {
            var lockdata = lockout[i];
            if (lockdata.username == username.toLowerCase())
            {
                lockout.splice(i, 1); // verwijderen
                i--;
            }
        }
        Application(lockout_name) = JSON.stringify(lockout);
        Application.UnLock();
    }
    return true;
 }