sfAntiBruteForcePlugin - 0.1

The sfAntiBruteForcePlugin helps you securing your web application against brute force attacks.

You are currently browsing
the website for symfony 1

Visit the Symfony2 website

« Back to the Plugins Home


Forgot your password?
Create an account



advanced search
Information Readme Releases Changelog Contribute
Show source

sfAntiBruteForcePlugin plugin

The sfAntiBruteForcePlugin helps you securing your web application against brute force attacks.


To prevent brute force attacks, we need to count the fail attempts for a given user. To do so, you can count the failed authentication for a given username. If the defined threshold is reached for the current day, you can forbid him to login. Or even better, you can add a CAPTCHA on the login form. Feel free to do what you prefer.


The sfAntiBruteForcePlugin proposes a management class with 2 static methods. They allow to count authentication attempts, and to know if a user has reached his attempts threshold. Here is how to use it.

This code takes place in the action that handles the login process.

public function executeLogin(sfWebRequest $request)
  $this->form = new LoginForm();
  if ($request->isMethod('post'))
    // retrieve the given username
    $taintedValues = $this->form->getTaintedValues();
    // check that he hasn't already reached the threshold
    if (!sfAntiBruteForceManager::canTryAuthentication($taintedValues['username']))
      // go away hacker!
    if ($this->form->isValid())
      // authenticate user and redirect
      // on failed authentication, increase counter for this user

You can customize the number of failed authentication threshold in your app.yml file:

    threshold:        20 # 20 failed attempts per day

Current limitations

Counters are stored in files, in the cache directory. There's 1 file per user. Those files are cleaned every day. I will probably implement a way to paremeter the plugin to store the counters in a database.

Attempts are counted per day. There's currently no way to paremeter the plugin to count it per hour, or anything else.



2010-12-13 | 0.1 Beta

  • gregoire_m: first beta: basic functionnalities with file storage