Merge pull request #563 from gaepdit/login-throttling

Add login throttling
gaepdit · Dec 14, 2022 · 58368fc · 58368fc
2 parents e52e117 + 3333178
commit 58368fc
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/GECO/Login.aspx b/GECO/Login.aspx
@@ -107,4 +107,4 @@
             </asp:UpdatePanel>
         </div>
     </div>
-</asp:Content>
+</asp:Content>
diff --git a/GECO/Login.aspx.vb b/GECO/Login.aspx.vb
@@ -41,15 +41,22 @@ Partial Class Login
         Dim gecoUser As New GecoUser
         Dim userSession As New UserSession
 
-        Dim loginResult As LoginResult = LogInUser(txtUserId.Text, txtPassword.Text, chkRememberMe.Checked, gecoUser, userSession)
+        Dim ipAddress As String = GetIPv4Address()
+
+        Dim loginResult As LoginResult = LogInUser(txtUserId.Text, txtPassword.Text, chkRememberMe.Checked, ipAddress, gecoUser, userSession)
 
         Select Case loginResult
             Case LoginResult.Invalid
+                lblMessage.Text = "Either the email is not registered or the password is incorrect. Please try again."
                 lblMessage.Visible = True
 
             Case LoginResult.AccountUnconfirmed
                 lblUnconfirmed.Visible = True
 
+            Case LoginResult.LoginThrottled
+                lblMessage.Text = "Too many login attempts made. Please wait a few seconds and try again."
+                lblMessage.Visible = True
+
             Case LoginResult.Success
                 If gecoUser.UserId = 0 Then
                     Response.Redirect("~/ErrorPage.aspx", False)
@@ -81,6 +88,10 @@ Partial Class Login
 
     End Sub
 
+    Private Shared Function GetIPv4Address() As String
+        Return Net.Dns.GetHostEntry(Net.Dns.GetHostName()).AddressList.GetValue(1).ToString()
+    End Function
+
     Private Sub GetUserFromSession()
 
         Dim series As String = GetCookie(UserSessionCookie.Series)

diff --git a/GECO/_DAL/Users/UserAccounts.vb b/GECO/_DAL/Users/UserAccounts.vb
@@ -4,11 +4,12 @@ Imports GECO.GecoModels
 
 Public Module UserAccounts
 
-    Public Function LogInUser(email As String, password As String, remember As Boolean, ByRef user As GecoUser, ByRef userSession As UserSession) As LoginResult
+    Public Function LogInUser(email As String, password As String, remember As Boolean, ipAddress As String, ByRef user As GecoUser, ByRef userSession As UserSession) As LoginResult
         Dim params As SqlParameter() = {
             New SqlParameter("@Email", email.Trim()),
             New SqlParameter("@Password", GetMd5Hash(password)),
-            New SqlParameter("@CreateSession", remember)
+            New SqlParameter("@CreateSession", remember),
+            New SqlParameter("@IPAddress", ipAddress)
         }
         Dim result As Integer
         Dim ds As DataSet = DB.SPGetDataSet("geco.LogInUser", params, result)
@@ -32,6 +33,8 @@ Public Module UserAccounts
                 Return LoginResult.Invalid
             Case 2
                 Return LoginResult.AccountUnconfirmed
+            Case 3
+                Return LoginResult.LoginThrottled
             Case Else
                 Return LoginResult.DbError
         End Select
@@ -41,6 +44,7 @@ Public Module UserAccounts
         Success
         Invalid
         AccountUnconfirmed
+        LoginThrottled
         DbError
     End Enum