Login Lock Strategies

Login lock strategy was created with the purpose to block multiple attempts made for example by an automated bot

There are 2 kinds of Login Lock Strategies Implemented:

  • Timer
  • Google reCAPTCHA

Setting up Parameters

In the setup (if you enable login lock strategy) the first decision to make is to set the max attempts the user can do before being blocked by our strategy; you will choose it here:

Boostack Setup 4

Then you will be prompted to choose between the two lock strategies implemented: google reCAPTCHA or Timer; if you select reCAPTCHA:

Boostack Setup 5

You will have to insert your public key and your private key. Here you can get the key pair and specify the key pair to work for your site: Click here

If you select timer:

Boostack Setup 6

You will have to insert the seconds the user will not be able to try the next login.


The timer solution will make the login blocked for the seconds specified in the setup section.

  • For what concerns the PHP part:

    In the template .phtml file we dont show the login by using this syntax:

        //Login form goes here.

    In the loginByUsernameAndPlainPassword function located in core/classes/Auth.Class.php the login process gets blocked if the function checkAcceptedTimeFromLastLogin($lastLogin) does not return true and that’s why the waiting time is not passed; if the function returns true then the process to login can go ahead.

Google recaptcha

Google reCAPTCHA will block the login until it’s not completed correctly. We will divide the correct implementation in 3 different parts: the html, the javascript and the php part.

  • For what concerns the HTML part:

    <script type="text/javascript" src=""></script>
    <div id="reCaptcha-align">
        <div name="response" class="g-recaptcha" data-callback="verifyCaptcha" data-sitekey=”yoursite-publickey">

    The important thing about this simple div and the google’s recaptcha api import is the data-callback function that will be used to verify “front-end” side to know if the user completed correctly the reCAPTCHA.

  • For what concerns the Javascript part:

    var captchaResult = false;
    function verifyCaptcha(response){
        if(response) captchaResult = true;

    This is the js function that will be invoked when the reCAPTCHA is completed and will verify that the response given is correct.

  • For what concerns the PHP part:

    In the loginByUsernameAndPlainPassword function located in core/classes/Auth.Class.php we will check “back-end” side the response. This double check: front end and back end side is usefull when you want to check that the response was not manipulated; so we need a validation by making a CURL to the google recaptcha endpoint set in env.php :

    $recaptchaResponse = self::reCaptchaVerify($boostack, $_POST["g-recaptcha-response"]);

    We invoke the reCaptchaVerify function that returns true in case of success, false in case of failure; it makes a CURL request to the google endpoint and validate it by decoding the json response.