Professional Documents
Culture Documents
about
downloads
development
c ommunit y
DOCUMENTATION
Tutorials
Class Reference
Wiki
Screencasts
Resources
report it
In this mini howto I would like to show how to add a required captcha field in the login form, after a defined number of unsuccessfull attempts. To do this, I will use the blog demo that you have in default Yii download package (path/to/yii/demos/blog). Basically, you need three things: in the model, you have to add captcha field as a required field in the rules() method in the controller, you have to create a different LoginForm model if number of unsuccessfull attempts are greater than N in the view, you have to show captcha field if number of unsuccessfull attempts are greater than N In the LoginForm model, you can use 'scenario' to set different required fields, so:
Find
View current article Update this article View history View revision Written by: zitter Category: How-tos Votes: +8 / -2 Viewed: 1,209 times Created on: Jun 12, 2012 Last updated: Jun 13, 2012 Tags: session, Authentication, security, form Related Articles
pbi fnto rls) ulc ucin ue( { rtr ary eun ra( / uenm adpswr aerqie / srae n asod r eurd ary'srae pswr' 'eurd) ra(uenm, asod, rqie', / rmmeM nest b aboen / eebre ed o e ola ary'eebre,'ola', ra(rmmeM' boen) / pswr nest b atetctd / asod ed o e uhniae ary'asod,'uhniae) ra(pswr' atetct', / adteelnsblw / d hs ie eo ary'sraepswr,eiyoe,rqie''n='athRqie', ra(uenm,asodvrfCd''eurd,o'>cpcaeurd) ary'eiyoe,'ath' ra(vrfCd' cpca, 'loEpy=!Cpca:hcRqieet() alwmt'>Cath:cekeurmns), ) ; }
Moving project code outside of webroot (plus multiple project support) Understanding Scenarios Implementing a User Level Access System How to extend CFormatter, add i18n support to booleanFormat and use it in CDetailView Yii CHttpSession
In the view, add this code (show captcha field if scenario is set to 'captchaRequired', will see later):
<ppi(mdl>cnro= 'athRqie':? ?h f$oe-seai = cpcaeurd) > <i cas"o" dv ls=rw> <ppeh Ctl:cieaeE(mdl'eiyoe) ? ?h co Hm:atvLblx$oe,vrfCd'; > <i> dv <pp$hs>igt'Cpca) ? ?h ti-wde(Cath'; > <ppeh Ctl:cieetil(mdl'eiyoe) ? ?h co Hm:atvTxFed$oe,vrfCd'; > <dv /i> <i cas"it>laeetrteltesa te aesoni te dv ls=hn"Pes ne h etr s hy r hw n h iaeaoe mg bv. <r>etr aentcs-estv./i> b/Ltes r o aesniie<dv <dv /i>
www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/
1/4
6/26/12
<ppedf ? ?h ni; >
Now, the controller. First, add a property to set maximum allowed attempts and a counter that trace failed attempts time to time:
pbi $teps=5 / alwd5atmt ulc atmt ; / loe teps pbi $one; ulc cutr
then, add a private function that returns true if 'captchaRequired' session value is greater than number of failed attempts.
piaefnto cpcaeurd) rvt ucin athRqie( { rtr Yi:p(-ssin>tmt'athRqie' > $hs eun i:ap)>eso-ieA(cpcaeurd) = ti>teps atmt; }
We will use this function to know if captcha is required or not. Now, remain to modify actionLogin() method:
pbi fnto atoLgn) ulc ucin cinoi( { $oe =$hs>athRqie(?nwLgnom'athRqie' mdl ti-cpcaeurd) e oiFr(cpcaeurd) :nwLgnom e oiFr; / i i i aa vldto rqet / f t s jx aiain eus i(se(_OT'jx] & $PS[aa'==lgnfr' fist$PS[aa') & _OT'jx]='oi-om) { eh Ccieom:aiae$oe) co AtvFr:vldt(mdl; Yi:p(-ed) i:ap)>n(; } / cletue iptdt / olc sr nu aa i(se(_OT'oiFr') fist$PS[Lgnom]) { $oe-atiue=_OT'oiFr'; mdl>trbts$PS[Lgnom] / vldt ue iptadrdrc t tepeiu pg i / aiae sr nu n eiet o h rvos ae f vld ai i(mdl>aiae)& $oe-lgn) f$oe-vldt( & mdl>oi() $hs>eietYi:p(-ue-rtrUl; ti-rdrc(i:ap)>sr>eunr) es le { $hs>one =Yi:p(-ssin ti-cutr i:ap)>eso>tmt'athRqie' +1 ieA(cpcaeurd) ; Yi:p(-ssin>d(cpcaeurd,tii:ap)>eso-ad'athRqie'$hs >one) cutr; } } / dslytelgnfr / ipa h oi om $hs>edr'oi'ary'oe'>mdl) ti-rne(lgn,ra(mdl=$oe); }
Note that: if function captchaRequired() returns true create LoginForm with scenario 'captchaRequired', else create LoginForm with default scenario. This is useful because in protected/models/LoginForm.php we have set two different required fields depending on scenario:
pbi fnto rls) ulc ucin ue( { rtr ary eun ra( ary'srae pswr' 'eurd) ra(uenm, asod, rqie', ary'sraepswr,eiyoe,rqie''n='athRqie', ra(uenm,asodvrfCd''eurd,o'>cpcaeurd)
www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/
2/4
6/26/12
[. msigcd.. .. isn oe.] }
if validation passes redirect to a specific page, but what if validation doesn't pass? In this case we increment the counter, then set a session named 'captchaRequired' with counter value, in this way:
i(mdl>aiae)& $oe-lgn) f$oe-vldt( & mdl>oi() $hs>eietYi:p(-ue-rtrUl; ti-rdrc(i:ap)>sr>eunr) es le { $hs>one =Yi:p(-ssin>tmt'athRqie' +1 ti-cutr i:ap)>eso-ieA(cpcaeurd) ; Yi:p(-ssin>d(cpcaeurd,ti-cutr; i:ap)>eso-ad'athRqie'$hs>one) }
When 'captchaRequired' session will be equal to maximum allowed attempts (property $attempts) private function captchaRequired() will return true and then LoginForm('captchaRequired') will be created. With scenario set to 'captchaRequired' captcha will be show in the view:
<ppi(mdl>cnro= 'athRqie':? ?h f$oe-seai = cpcaeurd) > / cd t so cpca / oe o hw ath <ppedf ? ?h ni; >
Easy, uh? ;)
References
http://www.yiiframework.com/forum/index.php/topic/21561-captcha-custom-validation http://drupal.org/node/536274
Total 5 comments
#8726
Good wiki
report it
This is a good wiki, I was just pointing out a situation that can lead to a false sense of safety. I'll not write another wiki because this one is just fine, I tried to collaborate with a (IMHO) note on security. I'm sorry if anyone took it in the wrong way.
#8725
report it
thx for the wiki :) just change the way it store login attempt counter and you're done(save to user log in database or file ), for jpablo if u don't like the way it was written just write your own wiki, or try to change the way you comment :)
www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/
3/4
6/26/12
#8675
report it
What you are missing "Or I'm missing something?" The only thing you're missing is a chance to write a better wiki to solve those problems :)
#8672
report it
The login attempt counter in the session has severe flaws The login attempt counter is stored in the session?? An attacker can easily run a brute force process using an empty session each time, right? In this (the most common) scenario this solution is useless. Or I'm missing something?
#8649
amazing...
report it
i dont know what to say.. but this is really cool code... thx zitter.. as you said.. Easy, Uh....
Leave a comment
Please login to leave your comment.
Documentation Take the Tour Tutorials Class Reference Wiki Screencasts Resources
Yii Supporters
Clevertech supports Yii. Clevertech builds custom solutions to cut overhead, create relevant management reporting and deliver profits. The Ext4Yii Framework is a professional PHP Yii extension which provides server-side ExtJS functionality.
Development Contribute to Yii Latest Updates Report a Bug Report a Security Issue
Terms of Service | License | RSS Tw itter Facebook LinkedIn Contact Us Copyright 2012 by Yii Softw are LLC. All Rights Reserved. Feeds
www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/
4/4