Hi,

(excuse my poor english, I'm FR)

About this plugin : https://www.typesettercms.com/Plugins/152_Password_Protected_Pages

I'd like to limit to 3 password attemts (then display a message error), so I need to store a "failed attemps" variable in a session data.
So I tried to understand TypeSetter's session mechanism, and it seems there's only sessions datas for registered users : no session cookie and no data\_sessions\data\_gpsess_[xxxx].php file for anonym users that could try to access to such protected pages.
Question 1 : I'am right about this ?

So, I thougth a possible way is to add a "classic" session_start() at the begining of index.php file to create an independant "php session" to manage the failed password attemps even for anonym visitors.
I tried (in local), it works... but :
Question 2 : Is that way is a good idea ? If not, what's the right way to do this ?

thanks for your answers,
regards,

@m94

You use Typesetter 5.1. For newer PHP-Versions You should update to the github-master or to versions of github.com/gtbu  (errors and deprecations).

I personally never used it  . There is a newer version from Github (to install under /addons and remove the web-version before) .

Do You want to count or stop Bots or hackers ?  I   think Typesetter stores no session-cookies or -data  for logged-out users(for what).

Session - data are stored in data/_sessions in gp_sess***.php in arrays.

A cleaner way is of course to include a php-file or still better to expand the plugin (see pphandle.php line 52 ...).

The input is <form id="fppp" action="/Tp52gt1221/index.php/More" method="post" style="margin:1em 0"> i.e. without special security

I have the problem under xampp that it  encrypts several gpareas, if i choose "RC4"-Password (bug! - probably because gp_area had updates).

 

Can You please post or append Your code here.

 

 

thanks for your fast answer ! :-)

my installed plugin version is the github one, and I downloaded 5.1 version from here : it's not the newer one ??

for now the code is quite simple, just a session_start() in index.php and 4 new lines around line 82 in pphandle.php.
I just tested if it works in the simplest way : it works, but only if user allow cookies, so I intend to fix that.
but it would be useless (or let's say stupid ^^ ) to to that in my way, whereas the current session class can manage logged-out users ; but apparently you think like me : " Typesetter stores no session-cookies or -data  for logged-out users ".

so, good way, bad way ?... I'd like to be sure before, I don't want to reinvent the wheel !

for the "better way" (expand the plugin), I would have to understand the whole script code first, it would need a long time to do it, and I'm not sure to have have the necessary knowledge to succeed.
and, above all, this little code hack is not for me : I want to spend a little time on it, but not too much! ;-)

You use an old version of Typesetter which is for php5 and has some minor bugs and wholes.

You should really update to my github.com/gtbu  v5.1.1 (just replace the /include-directory with the 5.1.1. - version and use filezilla-portable because some ftp-clients omit some file-types etc.) or better to the 5.2 there, which is an updated github.com/Typesetter - master (replace also the gpconfig.php)

Typesetter stores only data of sessions of logged in users. There is a plugin (visitor-counter) which stores data to have an overview of visits of single-sites . It is configurable and sees only the ip-address of the internet-router of the provider (without geolocation).

* Do You also have the rc4-problem while logged out (xampp)?

* I am not quite sure why You want to do all this : Do You want to keep hackers and bots off ? The next step would be to make the login-form safer.  The code is not so difficult. Against hackers helps only a strong WAF.

* If You post your code here, then i may integrate it into the plugin.

 

 

 

Hi,

> You should really update [...]
ok, I'll watch if v5.2 is compatible with the website provider limitations :-)

> Do You also have the rc4-problem while logged out (xampp)?
No, I had no problem with that

> I am not quite sure why You want to do all this : Do You want to keep hackers and bots off ? [...]
as I said, it' not for me... I think against bots

>  If You post your code here, then i may integrate it into the plugin
OK, I'll try to manage a serious complete code (really too basic now) , then will give you the code (in few weeks, I think...) for check

thanks !!

I think i found another unregular bug (tested online with TP5.2 and TP5.3). After saving passwords for several sites, it is sometimes enough to login to one of the protected pages, and then You have also access to the other ones (only if rc4 is hooked).  A good news is that the above mentioned rc4-problem exist only in the new bootstrap4-template and in h5 (evtl. others). (Here is an old discussion).

If it was not so intended, i think it needs a slight redesign, also a safer login-form with either a delay after 5 false logins or a captcha for bots. This can take some time. I made a fork at my git with login_nonce .

(Typesetter has a Antispan-math-captcha under 'available plugins' - and a recaptcha under include /thirdparty)