Laravel 5: Security – Authentication: lets bring back maxLoginAttempts and lockoutTime

Laravel 5: Security – maxLoginAttempts and lockoutTime


Lets bring back maxLoginAttempts and lockoutTime phased out by ThrottlesLogins trait.

As of Laravel 5.3 maxLoginAttempts and lockoutTime are not available anymore
Earlier we had capacity to easily set maximum login attempts and lockout time.
But creators on Laravel decided to remove that, when they introduced ThrottlesLogins trait.
They just hardcoded these, arbitrarily setting them to 5 unsuccessful trials and one minute delay.
Sometimes you may need more and may want to do that in an easy way.

Here is one of approaches – you just need to tweak trait ThrottlesLogins and you are good to go.

Some explanation first.

When you use Laravel built in authentication scaffolding, setup, brought you by this command:

… inside of your LoginController, you will see trait AuthenticatesUsers pulled in.
When you look inside of mentioned trait, you will see another trait ThrottlesLogins pulled in.
This is the one we need to tweak.

step 1

Find our ThrottlesLogins trait:

… and change protected function hasTooManyLoginAttempts to:

step 2

Above our changed protected function hasTooManyLoginAttempts, add two extra methods:

step 3

Now you can set how many attempt and how long cool-down period you need (in minutes) directly in LoginController pulling in trait AuthenticatesUsers or anywhere, where you directly pull trait ThrottlesLogins.

login attempts:

login cool-down:

Tested and works in Laravel 5.3 and Laravel 5.4.

Laravel 5.2 offers maxLoginAttempts and lockoutTime out of the box.

I have no idea how it plays with Laravel 5.1 or 5.0, as I have not tested it.

That’s about the size of it.