diff options
| -rw-r--r-- | acf.conf | 5 | ||||
| -rw-r--r-- | app/acf-util/logon-model.lua | 2 | ||||
| -rw-r--r-- | app/acf_www-controller.lua | 4 | ||||
| -rw-r--r-- | lib/session.lua | 10 |
4 files changed, 13 insertions, 8 deletions
@@ -19,6 +19,11 @@ sessiondir=/tmp/ # only applies to web access, client access will always use system logger logfile = /var/log/acf.log +# Session parameters +# sessiontimeout - time in minutes before inactive session deleted (default 30) +# lockouttime - time in minutes for lockout due to failed login attempts (default 30) (maximum = sessiontimeout) +# lockouteventlimit - number of events in past lockouttime to cause lockout (default 10) + # ACF is skinnable - this specifies the active skin # will attempt to load skin/basename(skin).css skin=/skins/alps diff --git a/app/acf-util/logon-model.lua b/app/acf-util/logon-model.lua index c110ee6..d84e5e9 100644 --- a/app/acf-util/logon-model.lua +++ b/app/acf-util/logon-model.lua @@ -25,7 +25,7 @@ end -- if we fail, we leave the session alone (don't log out) logon = function (self, userid, password, ip_addr, sessiondir, sessiondata) -- Check to see if we can login this user id / ip addr - local countevent = session.count_events(sessiondir, userid, session.hash_ip_addr(ip_addr)) + local countevent = session.count_events(sessiondir, userid, session.hash_ip_addr(ip_addr), self.conf.lockouttime, self.conf.lockouteventlimit) if countevent then session.record_event(sessiondir, userid, session.hash_ip_addr(ip_addr)) end diff --git a/app/acf_www-controller.lua b/app/acf_www-controller.lua index e99ffa5..7d9d2d5 100644 --- a/app/acf_www-controller.lua +++ b/app/acf_www-controller.lua @@ -261,7 +261,7 @@ mvc.on_load = function (self, parent) -- before we look at sessions, remove old sessions and events -- this prevents us from giving a "session timeout" message, but I'm ok with that - sessionlib.expired_events(self.conf.sessiondir) + sessionlib.expired_events(self.conf.sessiondir, self.conf.sessiontimeout) -- Load the session data self.sessiondata = nil @@ -281,7 +281,7 @@ mvc.on_load = function (self, parent) else --logevent("Found session") -- We read in a valid session, check if it's ok - if sessionlib.count_events(self.conf.sessiondir,self.conf.userid or "", sessionlib.hash_ip_addr(self.conf.clientip)) then + if sessionlib.count_events(self.conf.sessiondir,self.conf.userid or "", sessionlib.hash_ip_addr(self.conf.clientip), self.conf.lockouttime, self.conf.lockouteventlimit) then --logevent("Bad session, erasing") -- Too many events on this id / ip, kill the session sessionlib.unlink_session(self.conf.sessiondir, self.clientdata.sessionid) diff --git a/lib/session.lua b/lib/session.lua index f84551e..f55f2bf 100644 --- a/lib/session.lua +++ b/lib/session.lua @@ -195,10 +195,10 @@ end -- Check how many invalid login events -- have happened for this id in the last n minutes -- this will only effect the lockevent files -count_events = function (sessionpath, id_user, ipaddr) +count_events = function (sessionpath, id_user, ipaddr, minutes, limit) --we need to have the counts added up? deny off any and or all local now = os.time() - local minutes_ago = now - (minutes_count_events * 60) + local minutes_ago = now - ((minutes or minutes_count_events) * 60) local t = {} --give me all lockevents then we will sort through them local searchfor = sessionpath .. "/lockevent.*" @@ -215,7 +215,7 @@ count_events = function (sessionpath, id_user, ipaddr) end end end - if count>limit_count_events then + if count>(tonumber(limit) or limit_count_events) then return true else return false @@ -224,11 +224,11 @@ count_events = function (sessionpath, id_user, ipaddr) end -- Clear events that are older than n minutes -expired_events = function (sessionpath) +expired_events = function (sessionpath, minutes) --current os time in seconds local now = os.time() --take minutes and convert to seconds - local minutes_ago = now - (minutes_expired_events * 60) + local minutes_ago = now - ((minutes or minutes_expired_events) * 60) local searchfor = sessionpath .. "/lockevent.*" --first do the lockevent files local temp = posix.glob(searchfor) |