$account =
reset($accounts);
if ($account) { if ($flood_config->
get('uid_only'
)) { // Register flood events based on the uid only, so they apply for any
// IP address. This is the most secure option.
$identifier =
$account->
id();
} else { // The default identifier is a combination of uid and IP address. This
// is less secure but more resistant to denial-of-service attacks that
// could lock out all users with public user names.
$identifier =
$account->
id() . '-' .
$this->
getRequest()->
getClientIP();
} $form_state->
set('flood_control_user_identifier',
$identifier);
// Don't allow login if the limit for this user has been reached.
// Default is to allow 5 failed attempts every 6 hours.
if (!
$this->userFloodControl->
isAllowed('user.failed_login_user',
$flood_config->
get('user_limit'
),
$flood_config->
get('user_window'
),
$identifier)) { $form_state->
set('flood_control_triggered', 'user'
);
return;
} } // We are not limited by flood control, so try to authenticate.