Jump to content

Server time bug, causes very long lockout on failed login

arumdev

By arumdev
in Troubleshooting Issues

 Share

Recommended Posts

arumdev Junior Member

arumdev

Posted
Posted (edited)

There is a pretty massive flaw in the implementation of server time zone support. If a user fails the login process 3 times in a row and their IP address is then banned for '15 mins' however, because I am in the UK and my server is in Texas, the ban seems to last 15 mins plus whatever the time difference is between my local time zone and the server's time zone - in my case about 8 hours. It seems WHCS puts the [time zone] corrected time in the database instead of the server time, but checks it against the server time, hence the massive discrepancy. I guess if it was the other way around, my server was in the UK and I was in the US, then the ban wouldn't work at all as it would have happened in the future...

 

Now I have a workaround which involves login into the database and removing the banned IP address, but this is not always practical and I'm dreading the time when I mis-type my password wrong 3 times in a row (or sometimes the browser makes a failed login attempt without me inputting data) and have no access to the database and have to wait all day just to get in.

 

In the mean time, can anyone lend me a flux capacitor?

Edited by arumdev
0
Link to comment
Share on other sites
othellotech Senior Member

othellotech

Posted
Posted

Now I have a workaround which involves login into the database and removing the banned IP address, but this is not always practical and I'm dreading the time when I mis-type my password wrong 3 times in a row (or sometimes the browser makes a failed login attempt without me inputting data) and have no access to the database and have to wait all day just to get in.

 

Putting aside the breaking of EU legislation on the exporting of client/confidential data - "simple" fix is to put the code to remove the ip from the banned list into some php and if you lock yourself out, go to that url - better yet, always go to that url, and have it redirect to the WHMCS admin login afterwards ;)

0
Link to comment
Share on other sites
arumdev Junior Member

arumdev

Posted
  • Author
Posted

While that is a clever fix, and something I might do, it would be far far easier to fix the tiny little bug that says [use time], instead of [use corrected time] which I would have done myself already if the code was accessible.

 

Re your reply, what is the relevance of EU legislation on exporting confidential information? surely removing a banned IP address has nothing to do with any such legislation, or am I missing something?

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept