Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

swarley_HIMYM's avatar

Laravel Login Throttle

This is my Login controller and i want to edit this login controller. where each user incorrectly enters the password 2 times the login request will be locked for 1 minute, and if the user is wrong again for the second time the login request will be locked for 5 minutes, and if the wrong login request will be locked for 15 minutes and the last if he was mistakenly the user account was blocked from the database

like this :

2x attempts failed = accounts lock for 1 minutes 2x attempts failed again = accounts lock for 5 minutes 2x attempts failed again = accounts lock for 15 minutes

is there someone who wants to help me to make the code? I have copied the login function from AuthenticateUsers to LoginController. this is the controller

<?php

namespace App\Http\Controllers\Auth;

use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use App\Providers\RouteServiceProvider;
use Illuminate\Foundation\Auth\AuthenticatesUsers;

class LoginController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Login Controller
    |--------------------------------------------------------------------------
    |
    | This controller handles authenticating users for the application and
    | redirecting them to your home screen. The controller uses a trait
    | to conveniently provide its functionality to your applications.
    |
    */

    use AuthenticatesUsers;

    /**
     * Where to redirect users after login.
     *
     * @var string
     */
    protected $redirectTo = RouteServiceProvider::HOME;


    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('guest')->except('logout');
    }

    protected $maxAttempts = 2;
    protected $decayMinutes = 1;

    public function login(\Illuminate\Http\Request $request) {
        $this->validateLogin($request);
    
        // If the class is using the ThrottlesLogins trait, we can automatically throttle
        // the login attempts for this application. We'll key this by the username and
        // the IP address of the client making these requests into this application.
        if ($this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);
            return $this->sendLockoutResponse($request);
        }
        

    
        // If the login attempt was unsuccessful we will increment the number of attempts
        // to login and redirect the user back to the login form. Of course, when this
        // user surpasses their maximum number of attempts they will get locked out.
        $this->incrementLoginAttempts($request);
    
        return $this->sendFailedLoginResponse($request);
    }

}
0 likes
3 replies
Snapey's avatar

be careful with this approach. It is flawed.

I know of an enterprise business that had constant problems with denial of service by people deliberately passing invalid credentials for a valid user. You cannot know that it is the actual user that is attempting to login so you end up disabling the account of an innocent user.

Better to use rate limiting, or better still, just use the tried and tested standard authentication code.

Snapey's avatar

just warning...

You'll probably also be asked to add a switch to turn it off at some point, so allow for that in your design

Please or to participate in this conversation.