One of the less-known Laravel features is Login throttling. By default, if user tries to log in via default Laravel login form more than 5 times per minute, they will get different error message.
Yes, the error isn’t just “wrong password”. It’s “Too many login attempts. Please try again in X seconds.”
By default, that X is 60, so Laravel restricts login attempts for one minute. But you can customize it.
In your app/Http/Controllers/Auth/LoginController.php, you can add two properties:
class LoginController extends Controller
{
protected $maxAttempts = 3; // Default is 5
protected $decayMinutes = 2; // Default is 1
// ...
}
These properties will override the defaults, so you can specify less/more attempts allowed per minute, and shorter/longer restriction time.
Notice: The throttling is unique to the user’s username / e-mail address and their IP address.
