Geek Answers Handbook

Limit the number of failed login attempts

I want to limit failed login attempts. For example, if a particular user tries to log in with the wrong username or password 4 times, I should show CAPTCHA for the 4th time instead of blocking for a certain time and continue to show CAPTCHA if it does not supply a valid username and password. After the user has successfully logged in, an attempt to log in is reset to ZERO.

Is the idea of ​​checking the username instead of the IP address OK in the security point? Is it possible to implement this approach without using a database ?, since it seems to me that I do not need to store time, because I just show recaptcha? Please give your opinion.

+5
source share
5 answers

You do not want to use the database for the "number of failed login attempts"? Then just use a cookie and check it out. Of course, they can remove it, but this is a hassle.

However , I suspect that you are already getting the username and password from the database, why not get the last number of failed logins while you are on it?

if (isset($_POST['submit_login'])) {

    if (isset($_POST['username']) && isset($_POST['password'])) {
        $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['password']);
        // id = unique primary key
        $rs = mysql_query('SELECT id,Username,Password,Failed_logins,IP_address FROM Users WHERE Username = '.$username.'');
        $num = mysql_num_rows($rs);
        if ($num > 0) {
            // I would add a password hash here to $password, and check against the hashed Password from the database
            // But let check the clean passwords
            $row = mysql_fetch_array($rs);
            if ($password == $row['Password']) {
                // Successful login, set session or whatever you need
                // Reset failed logins
                mysql_query('UPDATE Users SET Failed_logins = 0 WHERE id = '.$row['id'].'');
                header('location: success.php');
            } else {
                // Failed password check
                if ($row['Failed_logins'] > 3) {
                    // Redirect to captcha
                    header('location: captcha.php');
                } else {
                    $ip = $_SERVER['REMOTE_ADDR'];
                    if ($row['IP_address'] != $ip) {
                        // New ip adress, reset failed logins
                        $failed_logins = 0;
                    } else {
                        // Increment failed logins
                        $failed_logins = $row['Failed_logins']+1;
                    }
                    mysql_query('UPDATE Users SET Failed_logins = '.$failed_logins.',IP_address = '.$ip.' WHERE id = '.$row['id'].' ');
                } // End check Failed_logins > 3
            }
        } else {
            // No such Username found in database
            $error = 'no_such_username';
        } // End username check from database

    } else {
        // Either username or password is missing
        $error = 'incomplete_form';
    } // end check for username and password

} // end main submit_login check

Something like that.

EDIT:

This is really old code, and I see some problems with it now. But at least you should always use PDOs (prepared instructions) to insert data into your database.

+8
source

What are you protecting?

, .

( ...) , IP , .

, ?

+1

, , ? 4 10- , . , .

, . , , memcached, .

, : !

IP- .

  • , .
  • IP-, , .
+1

.

0

- .

, :

(a) IP- ( ) (b) (c) / (: )

: IP-

, -? Wi-Fi? ? , ? ? etc, etc

IP-, , .

, - - .

- ( , , ), !

0

More articles:


All Articles