There's a weird issue with laravel's login throttling. I set the variables:
public $maxAttempts = 5;
public $decayMinutes = 3;
in the Auth/LoginController.php, and override the sendLockoutResponse
function like this:
protected function sendLockoutResponse(Request $request) {
$seconds = $this->limiter()->availableIn(
$this->throttleKey($request)
);
$minutes = floor($seconds / 60);
$seconds = $seconds % 60;
return back()->with('authError', 'Wait ' . $minutes . ' minutes and ' . $seconds . ' seconds.');
}
When I try 5 failed login attempts using wrong credentials I can see the AuthError
message on the page. And if I go on with the same e-mail address I continue to see seconds and minutes decrease. But if I change the e-mail the whole throttle gets reset. I still have 5 failed attempts to go.
My question is: if laravel determines a user's login attempts by IP address and uses cache to poll them, why changing the e-mail resets the login throttle?
PS my .env values are:
BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_SECURE_COOKIE=false
QUEUE_DRIVER=database