function UserAuthenticationController::getLoginFloodIdentifier

Same name in other branches
  1. 9 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::getLoginFloodIdentifier()
  2. 10 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::getLoginFloodIdentifier()
  3. 11.x core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::getLoginFloodIdentifier()

Gets the login identifier for user login flood control.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The current request.

string $username: The username supplied in login credentials.

Return value

string The login identifier or if the user does not exist an empty string.

2 calls to UserAuthenticationController::getLoginFloodIdentifier()
UserAuthenticationController::floodControl in core/modules/user/src/Controller/UserAuthenticationController.php
Enforces flood control for the current login request.
UserAuthenticationController::login in core/modules/user/src/Controller/UserAuthenticationController.php
Logs in a user.

File

core/modules/user/src/Controller/UserAuthenticationController.php, line 387

Class

UserAuthenticationController
Provides controllers for login, login status and logout via HTTP requests.

Namespace

Drupal\user\Controller

Code

protected function getLoginFloodIdentifier(Request $request, $username) {
    $flood_config = $this->config('user.flood');
    $accounts = $this->userStorage
        ->loadByProperties([
        'name' => $username,
        'status' => 1,
    ]);
    if ($account = reset($accounts)) {
        if ($flood_config->get('uid_only')) {
            // Register flood events based on the uid only, so they apply for any
            // IP address. This is the most secure option.
            $identifier = $account->id();
        }
        else {
            // The default identifier is a combination of uid and IP address. This
            // is less secure but more resistant to denial-of-service attacks that
            // could lock out all users with public user names.
            $identifier = $account->id() . '-' . $request->getClientIp();
        }
        return $identifier;
    }
    return '';
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.