We must think alike. I have been planning for a few days to add a feature to alert a user at a terminal that there was a recent unauthorized login attempt. I worked it out this morning and was about to commit the code and realized that you already did almost the exact same thing a week ago. The only difference is that you use the session variable and I store the ip address in the log for login attempts and then check for the most recent login from that address and see if it was a failure.
One difference is that reseting the browser makes your message go away and mine survives. I’ll leave it and you can take a look. I also made a change to auth.inc and login.php.
hmmm… The registration and comparison of the IP address is interesting. It could work OK if you’re users are all at a single site. But, if your users are accessing OpenEMR from a remote location that is doing NAT on the router then, I think, there could be some misleading results.
For example, Users A & B are using two different computers at a remote office. User A has an invalid login attempt. Then user B tries to log in, from their computer, and sees an "Invalid User/Password" error message even before they attempt to log in. It could create some confusion.
Is there a benefit to doing this IP logging and comparison over just the Session based check?
All of my users are remote and funnel through NATting routers.
That makes sense with the problem of going through a router.
The only benefit I can think of is this: My use for this was to see if a patient was playing around with an exam room terminal, attempting to guess username/password combinations. Using the Session based check can be defeated by a user resetting the browser. I use live linux CDs with no hard drive for my terminal machines, so a patient turning the computer on and off would erase the message and reset the computer to its original state.
I guess the usefulness of doing it either way depends on how it will be used and the nature of the network.
I can see the usefulness here. Perhaps this could be a new GLOBAL variable for lockout-attempts. Something so that after XX failed login attempts that particular IP address is locked for 10 minutes or something? It’s a complex solution to a single problem but might be worthwhile coding into the login process.