Laravel Throttle Feature using IP address as Key

Posted: 2016-10-16 14:51:22

NOTE: 5.3, for 5.2 see ending update

The Laravel Throttle feature here is a great addition to the framework. By default it uses the username and the IP for the key to count attempts.

But I want to cover how to switch that to use an IP only and not the username. A good example of why is a hacker running through a list of emails and passwords just trying to break into sites where that user would use the same password as the site the got the list from. This person could try this 5000 long list against your server and not once will Throttle care about that.

The fix is fairly simple in your app/Http/Controllers/Auth/AuthController.php add

    /**
     * Get the throttle key for the given request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return string
     */
    protected function throttleKey(Request $request)
    {
        if (Config::get('auth.throttle_key') == 'ip') {
            return $request->ip();
        } else {
            return Str::lower($request->input($this->username())).'|'.$request->ip();
        }
    }

Then in your config/auth.php add

    /*
    |--------------------------------------------------------------------------
    | Throttle Key
    |--------------------------------------------------------------------------
    |
    | You may choose to block ip address from failed attempts
    | of a combination of IP and Username
    |
    | Supported: "ip", "username|ip"
    |
    */
    'throttle_key' => 'ip'

This way you can switch it later back if needed

From here on the IP will track the failed attempts.

Laravel 5.2

In 5.2 I had to change protected function throttleKey to protected function throttleKey