Move IpCounter to date-based tmpdir storage with daily cleanup

IpCounter files were stored in the cache directory without cleanup,
causing inode exhaustion on busy sites. Files are now stored in
tmp

Move IpCounter to date-based tmpdir storage with daily cleanup

IpCounter files were stored in the cache directory without cleanup,
causing inode exhaustion on busy sites. Files are now stored in
tmpdir/captcha/ip/Y-m-d/ with automatic daily cleanup via indexer.

Also reorganizes FileCookie to tmpdir/captcha/cookie/Y-m-d/ for
consistency and moves timeout config loading into IpCounter constructor.

fixes #146

show more ...

Add exponential timeout for failed login attempts

Introduces a configurable brute-force protection mechanism that enforces
increasing wait times between login attempts. The timeout doubles with
each

Add exponential timeout for failed login attempts

Introduces a configurable brute-force protection mechanism that enforces
increasing wait times between login attempts. The timeout doubles with
each failure (e.g., 5s → 10s → 20s → ...) up to a configurable maximum.

New settings:
- logindenial: Base timeout in seconds (0 to disable)
- logindenial_max: Maximum timeout cap (default 1 hour)

The feature works independently of CAPTCHA protection - failed attempts
are tracked per IP using the existing IpCounter mechanism, and users
are shown the remaining wait time when blocked.

show more ...

clean up action.php, remove support for deprecated forms

move file cookies to class

first go at cleaning up the code

use $INPUT for access to $_SERVER. fixes #131

fix form handling

The recent login protect change actually influenced all forms instead
only applying to the login form

fix failed login counter. closes #129

Fixes two problems:

* every request was counted as a failed login because $_REQUEST[u] is
nearly always set (to an empty string)
* the captcha entry was disp

fix failed login counter. closes #129

Fixes two problems:

* every request was counted as a failed login because $_REQUEST[u] is
nearly always set (to an empty string)
* the captcha entry was displayed one request too late, because the
event registration happened before the login fail counting

show more ...

added bruteforce protection on login

The new default for protecting the login now takes failed logins from
the originating IP into account.

auto reformat code

add compatibility for new FORM_* events

Updated comment

Highlighted CAPTCHA before submit button

update the lastrun file correctly

clean up old captcha cookies

Old cookies are now cleared once per day.

optionally require a CAPTCHA on login

makes plugin:captchalogin obsolete

now protects the password reset mechanism as well

a bit cleaner way of handling the different modes

removed config for registration

I don't see any reason why anyone should ever switch this off

removed deprecated events

some reformatting

moved to new plugin.info.txt format

Moved some parts to a helper plugin for reuse in other plugins

darcs-hash:20090103171233-7ad00-db4cae1fea54c663224160de8bbebafd251846c6.gz

no longer rely on srand() which does not work on suhosin

darcs-hash:20080916184042-7ad00-5d037cac440d8f11077a1ae01af4242bf42d36ad.gz

italian translation

darcs-hash:20070814044917-7ad00-5ebcad82704d0ba15397298b1bf0652db57f4351.gz