From e7fb3a02d86a3bc88387280561d802d4744e8885 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Wed, 20 Jan 2021 22:36:18 +0100
Subject: [PATCH] [0005322] Login/Timeout: Added message on failed login
 attempt.

---
 access/login.php          | 10 +++++++---
 includes/current_user.inc |  2 ++
 includes/session.inc      |  2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/access/login.php b/access/login.php
index e8e28975..df2cc695 100644
--- a/access/login.php
+++ b/access/login.php
@@ -37,13 +37,16 @@ function defaultCompany()
 
 	if (check_faillog())
 	{
-		$blocked_msg = '<span class="redfg">'._('Too many failed login attempts.<br>Please wait a while or try later.').'</span>';
+		$blocked = true;
 
 	    $js .= "<script>setTimeout(function() {
 	    	document.getElementsByName('SubmitUser')[0].disabled=0;
 	    	document.getElementById('log_msg').innerHTML='$demo_text'}, 1000*".$SysPrefs->login_delay.");</script>";
-	    $demo_text = $blocked_msg;
+	    $demo_text = '<span class="redfg">'._('Too many failed login attempts.<br>Please wait a while or try later.').'</span>';
+	} elseif ($_SESSION["wa_current_user"]->login_attempt > 1) {
+		$demo_text = '<span class="redfg">'._("Invalid password or username. Please, try again.").'</span>';
 	}
+
 	flush_dir(user_js_cache());
 	if (!isset($def_coy))
 		$def_coy = 0;
@@ -89,6 +92,7 @@ function defaultCompany()
 	end_row();
 	if (!$login_timeout)
 		table_section_title(_("Version")." $version   Build ".$SysPrefs->build_version." - "._("Login"));
+
 	$value = $login_timeout ? $_SESSION['wa_current_user']->loginname : ($SysPrefs->allow_demo_mode ? "demouser":"");
 
 	text_row(_("User name"), "user_name_entry_field", $value, 20, 30);
@@ -119,7 +123,7 @@ function defaultCompany()
 	end_table(1);
 	echo "<input type='hidden' id=ui_mode name='ui_mode' value='".!fallback_mode()."' >\n";
 	echo "<center><input type='submit' value='&nbsp;&nbsp;"._("Login -->")."&nbsp;&nbsp;' name='SubmitUser'"
-		." onclick='".(in_ajax() ? 'retry();': 'set_fullmode();')."'".(isset($blocked_msg) ? " disabled" : '')." ></center>\n";
+		." onclick='".(in_ajax() ? 'retry();': 'set_fullmode();')."'".(isset($blocked) ? " disabled" : '')." ></center>\n";
 
 	foreach($_SESSION['timeout']['post'] as $p => $val) {
 		// add all request variables to be resend together with login data
diff --git a/includes/current_user.inc b/includes/current_user.inc
index c3d162e0..82c8daaf 100644
--- a/includes/current_user.inc
+++ b/includes/current_user.inc
@@ -32,6 +32,7 @@ class current_user
 	var $old_db;
 	var $logged;
 	var $ui_mode = 0;
+	var $login_attempt=0;
 	
 	var $prefs;
 	var $cur_con; // current db connection (can be different from $company for superuser)
@@ -134,6 +135,7 @@ class current_user
                 $this->email = @$myrow["email"];
 		    	update_user_visitdate($this->username);
 		    	$this->logged = true;
+		    	$this->login_attempt=0;
 				$this->last_act = time();
 				$this->timeout = session_timeout();
 				flush_dir(user_js_cache()); // refresh cache on login
diff --git a/includes/session.inc b/includes/session.inc
index e87f8bf1..bb061e43 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -179,6 +179,7 @@ function check_faillog()
 
 	$user = $_SESSION["wa_current_user"]->user;
 
+	$_SESSION["wa_current_user"]->login_attempt++;
 	if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay))
 		return true;
 
@@ -530,7 +531,6 @@ if (!defined('FA_LOGOUT_PHP_FILE')){
 			$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
 					'', html_specials_encode($_SERVER['REQUEST_URI'])),
 				'post' => $_POST);
-
 		if (in_ajax())
 			$Ajax->popup($path_to_root ."/access/timeout.php");
 		else
-- 
2.30.2