Limit login attempt frequency based on IP address

The previous method was broken because it set the "last time" to the
current time when the client connected. So login would fail when the
username and password were sent within a second from connecting, which
is not desirable.

If I'd have fixed this by setting the "last time" to login time minus
one second, then an attacker would just need to reconnect for each login
attempt. So now it uses an IP address based approach, where each IP can
only try to log in once per second.

0 files changed, 0 insertions, 0 deletions