Bruteforce protection with authlogic, Rails3.0.10

Question

I want to use the Bruteforce feature of authlogic, but haven't a clue how to go about configuring it. My user_session.rb model looks like this:

class UserSession < Authlogic::Session::Base

#edited code to ensure specific login error isn't displayed

    generalize_credentials_error_messages "Login/password invaild"


    #brute force protection
    consecutive_failed_logins_limit 3


    #orginal code commented out
        #def to_key
        #new_record? ? nil : [ self.send(self.class.primary_key) ]
        #end
        #def persisted?
        #false
        #end

end

I know I need more configuration than this, but what? Any help appreciated.

score 0 · Answer 1 · answered Sep 10 '12 at 21:55

You need to add consecutive_failed_logins_limit and, optionally, failed_login_ban_for. I've shown an example below using Authlogic's default settings. You don't need to define and use constants for these values, but I like doing that so the values can be referred to programmatically from anywhere.

class UserSession < Authlogic::Session::Base
  MAXIMUM_NUMBER_OF_FAILED_LOGIN_ATTEMPTS_ALLOWED = 50
  consecutive_failed_logins_limit MAXIMUM_NUMBER_OF_FAILED_LOGIN_ATTEMPTS_ALLOWED

  LOCKOUT_TIMEOUT_PERIOD = 2.hours
  failed_login_ban_for LOCKOUT_TIMEOUT_PERIOD

...
end

Bruteforce protection with authlogic, Rails3.0.10

1 Answers1