[SOLVED] Limiting login attempts?

[random1]

Hi All,

 

I have a login system using PHP and MySQL and I'd like to make the following enhancements:

 

• Limit failed login attempts user by session or IP address
  
• Limit logged in session time to x minutes and x seconds
  
• Limit access to being logged in at one place at a time
  

 

What's the best way of implementing these?

[.josh]

1) this is 2 fold.  If user is using correct username but wrong password, you can add an int type column to your user account table that increments each failed login attempt and then in your login processing script, add a condition to check that column and spit out a denial message if max attempts is reached. 

 

This doesn't really help if the username is wrong though, so part 2 would be to have another table called "failed_login_attempts" or something, in which you would pretty much do the same thing as before, except by ip address instead of username.  That's about as best you can do, because even that would fail to implement a "3 strikes and you're out" policy, if they are using a proxy server or something (changing ip address). 

 

You would, of course, need to add some sort of way to have that column reset to 0.  You could make the user contact someone who could manually do it if they can prove it's them. You could have it automatically reset after x amount of time.

 

2) This is also somewhat tricky.  sessions are governed on the client, via a cookie. You don't really have control over what goes on with that, unless the user is making requests to the server, so if they login and then walk away from the computer, there's no way for you to automatically end that session on their end. 

 

However, if you're talking about having them being shown as "offline" like on a forum or something, you add a time type column in your user account table called "last_active" and another column type int called "status". When user logs in, change status to 1 (signifying they are "online.") "Users online: " query would be based on status being set to 1.

 

Each time the user makes a request to the server, update it Setup a cron job to run every x time to check the current time vs. last_active and set status to 0 if it's more than x minutes and x seconds. 

 

3) have a column in your user account table that holds their ip address.  Each time a user logs in, update the ip address(using $_SERVER['REMOTE_ADDRESS']) .  As long as they are considered "online (see #2), if another login attempt is made, check the status and ip and if it's set to 1 and ip don't match, then deny it.

[random1]

Thanks Crayon Violent