6/26/12

Show captcha after <N> unsuccessfull attempts | Wiki | Yii Framework

demos guide class reference wiki extensions forum live chat login

about

downloads

doc ument at ion

development

c ommunit y

DOCUMENTATION

Take the Tour

Tutorials

Class Reference

Wiki

Screencasts

Resources

Show captcha after <N> unsuccessfull attempts

14 followers
8 2

report it

Write new article

S E A RCH WI K I

In this mini howto I would like to show how to add a required captcha field in the login form, after a defined number of unsuccessfull attempts. To do this, I will use the blog demo that you have in default Yii download package (path/to/yii/demos/blog). Basically, you need three things: in the model, you have to add captcha field as a required field in the rules() method in the controller, you have to create a different LoginForm model if number of unsuccessfull attempts are greater than N in the view, you have to show captcha field if number of unsuccessfull attempts are greater than N In the LoginForm model, you can use 'scenario' to set different required fields, so:

Find

View current article Update this article View history View revision Written by: zitter Category: How-tos Votes: +8 / -2 Viewed: 1,209 times Created on: Jun 12, 2012 Last updated: Jun 13, 2012 Tags: session, Authentication, security, form Related Articles

pbi fnto rls) ulc ucin ue( { rtr ary eun ra( / uenm adpswr aerqie / srae n asod r eurd ary'srae pswr' 'eurd) ra(uenm, asod, rqie', / rmmeM nest b aboen / eebre ed o e ola ary'eebre,'ola', ra(rmmeM' boen) / pswr nest b atetctd / asod ed o e uhniae ary'asod,'uhniae) ra(pswr' atetct', / adteelnsblw / d hs ie eo ary'sraepswr,eiyoe,rqie''n='athRqie', ra(uenm,asodvrfCd''eurd,o'>cpcaeurd) ary'eiyoe,'ath' ra(vrfCd' cpca, 'loEpy=!Cpca:hcRqieet() alwmt'>Cath:cekeurmns), ) ; }

Moving project code outside of webroot (plus multiple project support) Understanding Scenarios Implementing a User Level Access System How to extend CFormatter, add i18n support to booleanFormat and use it in CDetailView Yii CHttpSession

Moreover, add verifyCode as public property:

pbi $eiyoe ulc vrfCd;

In the view, add this code (show captcha field if scenario is set to 'captchaRequired', will see later):

<ppi(mdl>cnro= 'athRqie':? ?h f$oe-seai = cpcaeurd) > <i cas"o" dv ls=rw> <ppeh Ctl:cieaeE(mdl'eiyoe) ? ?h co Hm:atvLblx$oe,vrfCd'; > <i> dv <pp$hs>igt'Cpca) ? ?h ti-wde(Cath'; > <ppeh Ctl:cieetil(mdl'eiyoe) ? ?h co Hm:atvTxFed$oe,vrfCd'; > <dv /i> <i cas"it>laeetrteltesa te aesoni te dv ls=hn"Pes ne h etr s hy r hw n h iaeaoe mg bv. <r>etr aentcs-estv./i> b/Ltes r o aesniie<dv <dv /i>

www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/

1/4

6/26/12
<ppedf ? ?h ni; >

Show captcha after <N> unsuccessfull attempts | Wiki | Yii Framework

Now, the controller. First, add a property to set maximum allowed attempts and a counter that trace failed attempts time to time:

pbi $teps=5 / alwd5atmt ulc atmt ; / loe teps pbi $one; ulc cutr

then, add a private function that returns true if 'captchaRequired' session value is greater than number of failed attempts.

piaefnto cpcaeurd) rvt ucin athRqie( { rtr Yi:p(-ssin>tmt'athRqie' > $hs eun i:ap)>eso-ieA(cpcaeurd) = ti>teps atmt; }

We will use this function to know if captcha is required or not. Now, remain to modify actionLogin() method:

pbi fnto atoLgn) ulc ucin cinoi( { $oe =$hs>athRqie(?nwLgnom'athRqie' mdl ti-cpcaeurd) e oiFr(cpcaeurd) :nwLgnom e oiFr; / i i i aa vldto rqet / f t s jx aiain eus i(se(_OT'jx] & $PS[aa'==lgnfr' fist$PS[aa') & _OT'jx]='oi-om) { eh Ccieom:aiae$oe) co AtvFr:vldt(mdl; Yi:p(-ed) i:ap)>n(; } / cletue iptdt / olc sr nu aa i(se(_OT'oiFr') fist$PS[Lgnom]) { $oe-atiue=_OT'oiFr'; mdl>trbts$PS[Lgnom] / vldt ue iptadrdrc t tepeiu pg i / aiae sr nu n eiet o h rvos ae f vld ai i(mdl>aiae)& $oe-lgn) f$oe-vldt( & mdl>oi() $hs>eietYi:p(-ue-rtrUl; ti-rdrc(i:ap)>sr>eunr) es le { $hs>one =Yi:p(-ssin ti-cutr i:ap)>eso>tmt'athRqie' +1 ieA(cpcaeurd) ; Yi:p(-ssin>d(cpcaeurd,tii:ap)>eso-ad'athRqie'$hs >one) cutr; } } / dslytelgnfr / ipa h oi om $hs>edr'oi'ary'oe'>mdl) ti-rne(lgn,ra(mdl=$oe); }

Note that: if function captchaRequired() returns true create LoginForm with scenario 'captchaRequired', else create LoginForm with default scenario. This is useful because in protected/models/LoginForm.php we have set two different required fields depending on scenario:

pbi fnto rls) ulc ucin ue( { rtr ary eun ra( ary'srae pswr' 'eurd) ra(uenm, asod, rqie', ary'sraepswr,eiyoe,rqie''n='athRqie', ra(uenm,asodvrfCd''eurd,o'>cpcaeurd)

www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/

2/4

6/26/12
[. msigcd.. .. isn oe.] }

Show captcha after <N> unsuccessfull attempts | Wiki | Yii Framework

if validation passes redirect to a specific page, but what if validation doesn't pass? In this case we increment the counter, then set a session named 'captchaRequired' with counter value, in this way:

i(mdl>aiae)& $oe-lgn) f$oe-vldt( & mdl>oi() $hs>eietYi:p(-ue-rtrUl; ti-rdrc(i:ap)>sr>eunr) es le { $hs>one =Yi:p(-ssin>tmt'athRqie' +1 ti-cutr i:ap)>eso-ieA(cpcaeurd) ; Yi:p(-ssin>d(cpcaeurd,ti-cutr; i:ap)>eso-ad'athRqie'$hs>one) }

When 'captchaRequired' session will be equal to maximum allowed attempts (property $attempts) private function captchaRequired() will return true and then LoginForm('captchaRequired') will be created. With scenario set to 'captchaRequired' captcha will be show in the view:

<ppi(mdl>cnro= 'athRqie':? ?h f$oe-seai = cpcaeurd) > / cd t so cpca / oe o hw ath <ppedf ? ?h ni; >

Easy, uh? ;)

References
http://www.yiiframework.com/forum/index.php/topic/21561-captcha-custom-validation http://drupal.org/node/536274

Total 5 comments

#8726
Good wiki

jpablo78 at 2012/06/22 01:44am

report it

This is a good wiki, I was just pointing out a situation that can lead to a false sense of safety. I'll not write another wiki because this one is just fine, I tried to collaborate with a (IMHO) note on security. I'm sorry if anyone took it in the wrong way.

#8725

bluejedi at 2012/06/21 11:13pm

report it

thx for the wiki :) just change the way it store login attempt counter and you're done(save to user log in database or file ), for jpablo if u don't like the way it was written just write your own wiki, or try to change the way you comment :)

www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/

3/4

6/26/12

Show captcha after <N> unsuccessfull attempts | Wiki | Yii Framework

#8675

zitter at 2012/06/18 07:12pm

report it

What you are missing "Or I'm missing something?" The only thing you're missing is a chance to write a better wiki to solve those problems :)

#8672

jpablo78 at 2012/06/18 03:31pm

report it

The login attempt counter in the session has severe flaws The login attempt counter is stored in the session?? An attacker can easily run a brute force process using an empty session each time, right? In this (the most common) scenario this solution is useless. Or I'm missing something?

#8649
amazing...

peterjkambey at 2012/06/16 02:31pm

report it

i dont know what to say.. but this is really cool code... thx zitter.. as you said.. Easy, Uh....

Leave a comment
Please login to leave your comment.

About About Yii Features Performance License Contact Us

Downloads Framework Extensions Demos Logo

Documentation Take the Tour Tutorials Class Reference Wiki Screencasts Resources

Yii Supporters
Clevertech supports Yii. Clevertech builds custom solutions to cut overhead, create relevant management reporting and deliver profits. The Ext4Yii Framework is a professional PHP Yii extension which provides server-side ExtJS functionality.

Development Contribute to Yii Latest Updates Report a Bug Report a Security Issue

Community Forum Live Chat News Hall of Fame Badges

Terms of Service | License | RSS Tw itter Facebook LinkedIn Contact Us Copyright 2012 by Yii Softw are LLC. All Rights Reserved. Feeds

www.yiiframework.com/wiki/339/show-captcha-after-n-unsuccessfull-attempts/

4/4