function user_login_final_validate

The final validation handler on the login form.

Sets a form error if user has not been authenticated, or if too many logins have been attempted. This validation function should always be the last one.

1 string reference to 'user_login_final_validate'
user_login_default_validators in modules/user/user.module
Set up a series for validators which check for blocked users, then authenticate against local database, then return an error if authentication fails. Distributed authentication modules are welcome to use hook_form_alter() to change this series in…

File

modules/user/user.module, line 2230

Code

function user_login_final_validate($form, &$form_state) {
    if (empty($form_state['uid'])) {
        // Always register an IP-based failed login event.
        flood_register_event('failed_login_attempt_ip', variable_get('user_failed_login_ip_window', 3600));
        // Register a per-user failed login event.
        if (isset($form_state['flood_control_user_identifier'])) {
            flood_register_event('failed_login_attempt_user', variable_get('user_failed_login_user_window', 21600), $form_state['flood_control_user_identifier']);
        }
        if (isset($form_state['flood_control_triggered'])) {
            if ($form_state['flood_control_triggered'] == 'user') {
                form_set_error('name', format_plural(variable_get('user_failed_login_user_limit', 5), 'Sorry, there has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', 'Sorry, there have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array(
                    '@url' => url('user/password'),
                )));
                module_invoke_all('user_flood_control', ip_address(), $form_state['values']['name']);
            }
            else {
                // We did not find a uid, so the limit is IP-based.
                form_set_error('name', t('Sorry, too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array(
                    '@url' => url('user/password'),
                )));
                module_invoke_all('user_flood_control', ip_address());
            }
            // We cannot call drupal_access_denied() here as that can result in an
            // infinite loop if the login form is rendered on the 403 page (e.g. in a
            // block). So add the 403 header and allow form processing to finish.
            drupal_add_http_header('Status', '403 Forbidden');
        }
        else {
            form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array(
                '@password' => url('user/password'),
            )));
            watchdog('user', 'Login attempt failed for %user.', array(
                '%user' => $form_state['values']['name'],
            ));
        }
    }
    elseif (isset($form_state['flood_control_user_identifier'])) {
        // Clear past failures for this user so as not to block a user who might
        // log in and out more than once in an hour.
        flood_clear_event('failed_login_attempt_user', $form_state['flood_control_user_identifier']);
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.