1 user.module user_login_authenticate_validate($form, &$form_state)

Second phase validation handler on the login form.

Checks supplied username/password against local users table. If successful, $form_state['uid'] is set to the matching user ID. If an account is found $form_state['account_found'] is set to TRUE, though the password may still fail even if an account is found.


core/modules/user/user.module, line 1884
Enables the user registration and login system.


function user_login_authenticate_validate($form, &$form_state) {
  $name = trim($form_state['values']['name']);
  $password = trim($form_state['values']['pass']);
  $flood_config = config('user.flood');
  if (strlen($name) && strlen($password)) {
    // Do not allow any login from the current user's IP if the limit has been
    // reached. Default is 50 failed attempts allowed in one hour. This is
    // independent of the per-user limit to catch attempts from one IP to log
    // in to many different user accounts.  We have a reasonably high limit
    // since there may be only one apparent IP for all users at an institution.
    if (!flood_is_allowed('failed_login_attempt_ip', $flood_config->get('flood_ip_limit'), $flood_config->get('flood_ip_window'))) {
      $form_state['flood_control_triggered'] = 'ip';
    $account = FALSE;
    $credentials = config_get('system.core', 'user_login_method');
    if (($credentials === USER_LOGIN_USERNAME_OR_EMAIL || $credentials === USER_LOGIN_EMAIL_ONLY) && valid_email_address($name)) {
      $account = db_query("SELECT * FROM {users} WHERE mail = :mail AND status = 1", array(':mail' => $name))->fetchObject();
    if (!$account && $credentials !== USER_LOGIN_EMAIL_ONLY) {
      $account = db_query("SELECT * FROM {users} WHERE name = :name AND status = 1", array(':name' => $name))->fetchObject();

    if ($account) {
      $form_state['account_found'] = TRUE;
      if ($flood_config->get('flood_uid_only')) {
        // Register flood events based on the uid only, so they apply for any
        // IP address. This is the most secure option.
        $identifier = $account->uid;
      else {
        // The default identifier is a combination of uid and IP address. This
        // is less secure but more resistant to denial-of-service attacks that
        // could lock out all users with public user names.
        $identifier = $account->uid . '-' . ip_address();
      $form_state['flood_control_user_identifier'] = $identifier;

      // Don't allow login if the limit for this user has been reached.
      // Default is to allow 5 failed attempts every 6 hours.
      if (!flood_is_allowed('failed_login_attempt_user', $flood_config->get('flood_user_limit'), $flood_config->get('flood_user_window'), $identifier)) {
        $form_state['flood_control_triggered'] = 'user';
      // We are not limited by flood control, so try to authenticate.
      // Set $form_state['uid'] as a flag for user_login_final_validate().
      $form_state['uid'] = user_authenticate($account->name, $password);
    else {
      $form_state['account_found'] = FALSE;