Geek Answers Handbook

How to narrow down login attempts - PHP and MySQL and CodeIgniter

I want to be able to block login attempts based on failed attempts, but I have some questions.

Should I use MySQL? (read that it can strain the DB)
Should I throttle the user and the system-wide or just the system-wide? (to prevent normal people from guessing passwords)
How to calculate my threshold? (therefore it automatically adapts to changes / growth)
How to get this threshold? Query / calculation for every failure or cache?
What should I use for throttling? (read the answer that sleep () can cause server stress)

Does anyone have some sample code?

I am new to this, so I appreciate the help! Thanks

+6
security php mysql login throttling
source share
3 answers

I implemented a weak person damping mechanism mechanism in phunction using only APC, here's how I use it:

// allow 60 requests every 30 seconds // each request counts as 1 (expensive operations can use higher values) // keep track of IPs by REMOTE_ADDR (ignore others) $throttle = ph()->Throttle($ttl = 30, $exit = 60, $count = 1, $proxy = false); if ($throttle === true) { // IP exceded 30 requests in the last 60 seconds, die() here } else { // $throttle is a float // number of requests in the last 30 seconds / 30 seconds /* 1 req / 30 = 0,033 sec 5 req / 30 = 0,166 sec 10 req / 30 = 0,333 sec 15 req / 30 = 0,5 sec 20 req / 30 = 0,666 sec 25 req / 30 = 0,833 sec 30 req / 30 = 1 sec */ usleep(intval(floatval($throttle) * 1000000)); }

I use this on my Front-Controller and pass the value to the routing method, but that's a different story.

The bottom line is that if you use APC, you can store things very quickly in memory and with low memory consumption, because APC follows the FILO methodology. If you need a higher timeout, you can use something that is not based on memory.

BTW: MySQL supports tables with the MEMORY engine.

The problem with sleep() :

A typical Apache web server with PHP installed as a module will consume about 10 MB of RAM per instance in order to avoid exceeding your available bar, there are some Apache options that you can configure to limit the maximum number of instances that Apache can start with.

The problem is that you are sleep() , this instance is still active and with enough requests can eventually eat up all available slots for launching new servers, thereby making your website inaccessible until it is completed some pending requests.

There is no way to overcome this from PHP AFAIK, so in the end it is up to you.

The principle is the same for system throttling:

 function systemWide($ttl = 86400, $exit = 360) { if (extension_loaded('apc') === true) { $key = array(__FUNCTION__); if (apc_exists(__FUNCTION__) !== true) { apc_store(__FUNCTION__, 0, $ttl); } $result = apc_inc(__FUNCTION__, 1); if ($result < $exit) { return ($result / $ttl); } return true; } return false; }
+5
source share

Login error with errors in the table:

 FailedLogins id timestamp ip

Each time a user tries to log in, you check to see if the user has an IP address X of the number of failed login attempts in the last Y seconds.

If the user lost X times within Y seconds, you submitted an error message or CAPTCHA.

+1
source share

The MySQL database can handle query tones / sec, so you don’t have to worry about neck bottles if you don’t have thousands of users.

You can also use sleep () NOTE. PHP handles more users than ASP.NET. If you do not have thousands of users, you can use sleep methods without neck bottles.

As I usually do, this saves login attempts (IP, userID and timestamp). Store it in a table and reset the table whenever you want (at a certain size or time of day). If the user ID + IP has more than the “number of login attempts” at the “specific time”, redirect the user to a page that tells the user what he / she used for many attempts and will not be able to log in for the next 15 minutes ( or as you think). A bit of Windows, as I guess, but it works like a charm :)

0
source share

More articles:


All Articles