Posted by Arjun on Saturday 8th August 2015

Login Throttling in Laravel 5.1

Laravel Laravel 5.1 Login Throttling rate limiting


Login Throttling is also called rate limiting which is very useful to increase the security of the application by protecting login form. Basically the idea behind login throttling is which will count the number of login attempts and once the user or attacker reaches given 3 or 5 number of failed attempts, we will lock the user for sometime or we can lock the user completely.It is up-to application requirements whether you want to lock temporally or permanently.

Most login forms do not stop an automated login attacks, since those are not being logged, you might not even know it is happening. so my suggestion is use logs for login forms and also implement login throttling by halting a user login form after a certain number of failed attempts.

Laravel 5.1 Login throttling comes right out of the box. By default, Laravel 5.1's AuthController already imports the ThrottlesLogins trait, so every new Laravel 5.1 app already has this enabled.


namespace App\Http\Controllers\Auth;

use App\User;
use Validator;
use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Illuminate\Foundation\Auth\AuthenticatesAndRegistersUsers;

class AuthController extends Controller
    use AuthenticatesAndRegistersUsers, ThrottlesLogins;

Now you just need to display errors on your login page,probably you may already have this below snippet in your login page because you need to display "username/password" validation errors

@if (count($errors) > 0)
    <div class="alert alert-danger">
        <strong>Whoops!</strong> There were some problems with your input.<br><br>
            @foreach ($errors->all() as $error)
                <li>{{ $error }}</li>

Once you do, anyone who has 5 failed logins in a row will be stopped from logging in for 60 seconds. Both of these values are customizable

By simply setting a lockoutTime and a maxLoginAttempts property on our AuthController we can override default lockout time and max login attempt limit values.