nitation Posted April 19, 2008 Share Posted April 19, 2008 hello guys, i am trying to develop a login system that checks how many times a user login with an incorrect password. I want the system to disable such user after three unsuccessful attempts. Please how do i go about this? Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/ Share on other sites More sharing options...
chigley Posted April 19, 2008 Share Posted April 19, 2008 Do some reading on sessions. Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521117 Share on other sites More sharing options...
Fadion Posted April 19, 2008 Share Posted April 19, 2008 Do some reading on sessions. Sessions would be the easy way, but not too reliable. A db table which tracks login attempts would be a good solution. Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521124 Share on other sites More sharing options...
chigley Posted April 19, 2008 Share Posted April 19, 2008 Do some reading on sessions. Sessions would be the easy way, but not too reliable. A db table which tracks login attempts would be a good solution. It's always worked for me in the past? Why isn't it reliable? Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521128 Share on other sites More sharing options...
Fadion Posted April 19, 2008 Share Posted April 19, 2008 Sure it works, but login-close the browser-login would bypass the security. Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521135 Share on other sites More sharing options...
PFMaBiSmAd Posted April 19, 2008 Share Posted April 19, 2008 In addition to that, if it is a bot script submitting passwords that is not even accepting/providing a session cookie, each new submission would create a new session and the count would always start over at zero. You must store the login attempt count in the user record in the database. Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521183 Share on other sites More sharing options...
nitation Posted April 19, 2008 Author Share Posted April 19, 2008 Guys, thank you for your interest in my post. Can someone please give me an hint on how session will be able to identify the the user attempting to login incorrectly. Pardon me if am stressing things out. Thank you in advance Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521231 Share on other sites More sharing options...
Fadion Posted April 19, 2008 Share Posted April 19, 2008 If ure going for the session thing, u just have to set a session and increment it to each failed attempt. Im giving a full example: <?php session_start(); if(isset($_SESSION['loginfailed']) and $_SESSION['loginfailed'] > 3){ echo 'You did more then 3 failed login attempts. Try again later.'; } else{ $user = $_POST['username']; $pass = sha1($_POST['password']); //sha1() if ure encrypting passwords $resultsLogin = mysql_query("SELECT id FROM users WHERE username='$user' AND password='$pass'"); if(mysql_num_rows($resultsLogin) == 1){ echo 'Login successful.'; //login code } else{ if(isset($_SESSION['loginfailed'])){ $failed = $_SESSION['loginfailed']; $_SESSION['loginfailed'] = intval($failed) + 1; //used intval() just to be sure echo 'Login failed. Please try again.'; } else{ $_SESSION['loginfailed'] = 1; } } } ?> It may not be the best or efficient code as i wrote in rush to give the example, but im sure it gives u the idea. Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521234 Share on other sites More sharing options...
woobarb Posted April 19, 2008 Share Posted April 19, 2008 If I remember how we implemented it... When you attempt to login, the result is logged in a db table (this is modular so that any area can use the facility). Whether the result is good or bad it is logged for this entry point, but before it even attempts to login it checks to see if the attempt quota has been used for the time period since the first attempt, etc... IP, session, agent, proxy, etc are all logged, including login name. I can't remember which we used for the dissallow by proxy bit but it's one of these: HTTP_X_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_VIA: HTTP_PROXY_CONNECTION: HTTP_USER_AGENT: 'REMOTE_ADDR' oh there part of $_SERVER['*'] if you aren't aware... Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521255 Share on other sites More sharing options...
nitation Posted April 19, 2008 Author Share Posted April 19, 2008 If ure going for the session thing, u just have to set a session and increment it to each failed attempt. Im giving a full example: <?php session_start(); if(isset($_SESSION['loginfailed']) and $_SESSION['loginfailed'] > 3){ echo 'You did more then 3 failed login attempts. Try again later.'; } else{ $user = $_POST['username']; $pass = sha1($_POST['password']); //sha1() if ure encrypting passwords $resultsLogin = mysql_query("SELECT id FROM users WHERE username='$user' AND password='$pass'"); if(mysql_num_rows($resultsLogin) == 1){ echo 'Login successful.'; //login code } else{ if(isset($_SESSION['loginfailed'])){ $failed = $_SESSION['loginfailed']; $_SESSION['loginfailed'] = intval($failed) + 1; //used intval() just to be sure echo 'Login failed. Please try again.'; } else{ $_SESSION['loginfailed'] = 1; } } } ?> It may not be the best or efficient code as i wrote in rush to give the example, but im sure it gives u the idea. The code works just fine. I want to know how long (duration/ time frame) it is going to take for the user to be allowed to login to the system when he/she has the correct details, because i observed i couldn't login to the system anymore even when i provide the correct details. I closed my browser and opened a new one, it seems session still exit. i don't know why. Please explain Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521270 Share on other sites More sharing options...
Fadion Posted April 19, 2008 Share Posted April 19, 2008 Session times are defined in php.ini and thats the time the user will not be able to login. Anyway, if he/she closes the browser, the session normally should be destroyed. You could go for a cookies attempt, as the expiration time can be set manually: setcookie('failed', '2', time()+3600) //1 hour;. Even the cookies can be bypassed as they can be deleted, so the most reliable method should always be the database one. EDIT: The code i provided will not let the user login after 3 failed attempts, but u can modify it as u wish. Link to comment https://forums.phpfreaks.com/topic/101833-limiting-number-of-attempts/#findComment-521280 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.