From e9247ce0176221def7293c311fe1b0cb40f3800e Mon Sep 17 00:00:00 2001
From: Robert Korulczyk <robert@korulczyk.pl>
Date: Tue, 12 Apr 2022 23:34:56 +0200
Subject: [PATCH] Improve handling of DDoS/brute force attacks on login form.

---
 .../captcha/plugins/captcha_abstract.php      |  3 +-
 phpBB/phpbb/session.php                       | 33 ++++++++++---------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/phpBB/phpbb/captcha/plugins/captcha_abstract.php b/phpBB/phpbb/captcha/plugins/captcha_abstract.php
index 61a0ce9a68..864b289fa3 100644
--- a/phpBB/phpbb/captcha/plugins/captcha_abstract.php
+++ b/phpBB/phpbb/captcha/plugins/captcha_abstract.php
@@ -157,7 +157,8 @@ abstract class captcha_abstract
 			FROM ' . CONFIRM_TABLE . ' c
 			LEFT JOIN ' . SESSIONS_TABLE . ' s ON (c.session_id = s.session_id)
 			WHERE s.session_id IS NULL' .
-				((empty($type)) ? '' : ' AND c.confirm_type = ' . (int) $type);
+				((empty($type)) ? '' : ' AND c.confirm_type = ' . (int) $type)
+			. ' LIMIT 100000';
 		$result = $db->sql_query($sql);
 
 		if ($row = $db->sql_fetchrow($result))
diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index 869b214fcc..dad6db007f 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -802,22 +802,25 @@ class session
 
 			unset($cookie_expire);
 
-			$sql = 'SELECT COUNT(session_id) AS sessions
-					FROM ' . SESSIONS_TABLE . '
-					WHERE session_user_id = ' . (int) $this->data['user_id'] . '
-					AND session_time >= ' . (int) ($this->time_now - (max((int) $config['session_length'], (int) $config['form_token_lifetime'])));
-			$result = $db->sql_query($sql);
-			$row = $db->sql_fetchrow($result);
-			$db->sql_freeresult($result);
-
-			if ((int) $row['sessions'] <= 1 || empty($this->data['user_form_salt']))
+			if ($this->data['user_id'] != ANONYMOUS)
 			{
-				$this->data['user_form_salt'] = unique_id();
-				// Update the form key
-				$sql = 'UPDATE ' . USERS_TABLE . '
-					SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\'
-					WHERE user_id = ' . (int) $this->data['user_id'];
-				$db->sql_query($sql);
+				$sql = 'SELECT COUNT(session_id) AS sessions
+						FROM ' . SESSIONS_TABLE . '
+						WHERE session_user_id = ' . (int) $this->data['user_id'] . '
+						AND session_time >= ' . (int) ($this->time_now - (max((int) $config['session_length'], (int) $config['form_token_lifetime'])));
+				$result = $db->sql_query($sql);
+				$row = $db->sql_fetchrow($result);
+				$db->sql_freeresult($result);
+
+				if ((int) $row['sessions'] <= 1 || empty($this->data['user_form_salt']))
+				{
+					$this->data['user_form_salt'] = unique_id();
+					// Update the form key
+					$sql = 'UPDATE ' . USERS_TABLE . '
+						SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\'
+						WHERE user_id = ' . (int) $this->data['user_id'];
+					$db->sql_query($sql);
+				}
 			}
 		}
 		else