[eluser]andjules[/eluser]
[quote author="billyjeans" date="1281370199"]It seems that clear_attempts should use the same creteria as get_attempts_num, otherwise the login attempts will not be cleared.
Code:
function clear_attempts($ip_address, $login, $expire_period = 86400)
{
/* modified to make it consistent with get_attempts_num
$this->db->where(array('ip_address' => $ip_address, 'login' => $login));*/
$this->db->where('ip_address', $ip_address);
if (strlen($login) > 0) $this->db->or_where('login', $login);
It does sound like there is a logical hole.
IF clear_attempts - as it was originally written - only clears THIS USER's attempts, it may not solve the problem of the login being blocked because OTHER users (at other IP addresses) have increased the attempts in the database.
As a logical extension, I've needed to add a 'clear_attempts' call to the reset_password function, because once a email/tokenized-authenticated user resets their password, they could still be locked out by OTHER users having max'd-out the login attempts.