sfAntiBruteForcePlugin plugin
=============================

The `sfAntiBruteForcePlugin` helps you securing your web application against [brute force attacks](http://en.wikipedia.org/wiki/Brute_force_attack).


Principle
---------

To prevent brute force attacks, we need to count the fail attempts for a given user. To do so, you can count the failed authentication for a given username. If the defined threshold is reached for the current day, you can forbid him to login. Or even better, you can add a CAPTCHA on the login form. Feel free to do what you prefer.


Features
--------

The `sfAntiBruteForcePlugin` proposes a management class with 2 static methods. They allow to count authentication attempts, and to know if a user has reached his attempts threshold. Here is how to use it.

This code takes place in the action that handles the login process.

    [php]
    public function executeLogin(sfWebRequest $request)
    {
      $this-&gt;form = new LoginForm();

      if ($request-&gt;isMethod(&#039;post&#039;))
      {
        $this-&gt;form-&gt;bind($request-&gt;getParameter(&#039;login&#039;));

        // retrieve the given username
        $taintedValues = $this-&gt;form-&gt;getTaintedValues();

        // check that he hasn&#039;t already reached the threshold
        if (!sfAntiBruteForceManager::canTryAuthentication($taintedValues[&#039;username&#039;]))
        {
          // go away hacker!
          $this-&gt;forward404();
        }

        if ($this-&gt;form-&gt;isValid())
        {
          // authenticate user and redirect
          $this-&gt;getUser()-&gt;setAuthenticated(true);
          $this-&gt;redirect(&#039;@homepage&#039;);
        }
        else
        {
          // on failed authentication, increase counter for this user
          sfAntiBruteForceManager::notifyFailedAuthentication($taintedValues[&#039;username&#039;]);
        }
      }
    }

You can customize the number of failed authentication threshold in your `app.yml` file:

    [yaml]
    all:
      sfAntiBruteForcePlugin:
        threshold:        20 # 20 failed attempts per day


Current limitations
-------------------
Counters are stored in files, in the cache directory. There&#039;s 1 file per user. Those files are cleaned every day. I will probably implement a way to paremeter the plugin to store the counters in a database.

Attempts are counted per day. There&#039;s currently no way to paremeter the plugin to count it per hour, or anything else.


Changelog
---------

### Trunk

### 2010-12-13 | 0.1 Beta

  * gregoire_m: first beta: basic functionnalities with file storage