nonexist Posted November 24, 2008 Share Posted November 24, 2008 Hello. http://what.cd/login.php I have tried searching and implementing something like the form on the page above, but I can't seem to get it working how I want it. Thanks -nonexist Quote Link to comment Share on other sites More sharing options...
btherl Posted November 25, 2008 Share Posted November 25, 2008 There's two things you need 1. A way to identify your user (probably $_SERVER['REMOTE_ADDR'], but be careful with shared proxies. Or if you lock a particular username out, then this part is easy, it's just the username) 2. A way to remember how many times they tried to login (mysql database?) I can give more detail, but I'm not sure what kind of help you are looking for. Quote Link to comment Share on other sites More sharing options...
nonexist Posted November 25, 2008 Author Share Posted November 25, 2008 Well That's what I was thinking. I would set it for 4 Tries, as that sounds reasonable, and each time they failed, their IP would be inserted to a table, and if their IP already existed, then they would have 1 added to their count. But what Im wondering is, how can I ban them for 8 hours, or just some amount of time. Would I use a cron job every hour that checks if the IP is X hours old, and if so delete it, or is there something easier. Quote Link to comment Share on other sites More sharing options...
premiso Posted November 25, 2008 Share Posted November 25, 2008 Use session variables or a database to store the attempts. Sessions work, but you would have to lock out the user account being tried since IPs are easily spoofed. Example: <?php session_start(); if (!isset($_SESSION['attempts'])) { $_SESSION['attempts'] = 0; }elseif (isset($_SESSION['last_attempt']) && $_SESSION['attempts'] > 3) { if (($_SESSION['last_attempt']*60*5) > time()) { unset($_SESSION['last_attempt']); $_SESSION['attempts'] = 0; }else { echo 'You have reached the threshold. Please wait 5 minutes before trying again.'; die(); } } if (isset($_POST['submit']) && $_SESSION['attempts'] < 3) { // check credentials if (!$authenticated) $_SESSION['attempts']++; }else { echo 'You have reached the threshold. Please wait 5 minutes before trying again.'; $_SESSION['last_attempt'] = time(); } ?> At least that is the basic gist, the code above was just a spur of the moment so improvements probably can be made and it is untested. The only problem is they can just close the browser and try again without tieing in the lockout to the database. EDIT: Just noticed the IP comment. I would highly suggest against the IP, because IPS are easily spoofed or if you have 2 users at a work environment, home network or school they will be banned as you just see the outside IP from them. Putting the ban on the user account is better, an a 5 minutes ban is sufficient as that prevents what the ultimate goal is, no brute force. Quote Link to comment Share on other sites More sharing options...
btherl Posted November 25, 2008 Share Posted November 25, 2008 I wouldn't recommend sessions, for the reason premiso gave (the hacker just has to not send the session cookie and the system is defeated). You definitely need to store the data server side. As for letting them retry after a set period of time, you can store the identifying info (username or ip) in a database, along with a timestamp. Next time they try to login, check how old that timestamp is. No need for a cron job. About IPs .. well, it is easy for a hacker to find perhaps 100 or 200 proxy servers to spoof their ip with. But if they only get 4 attempts per server, that's still just 400-800 tries. Maybe that's an acceptable limit. The shared proxy with a single outside ip is a bigger issue IMHO, because you'll end up blocking innocent users. A disadvantage of a 5 minute username ban is you are also blocking the REAL owner of the account from logging in. But many sites use such a system successfully. Quote Link to comment Share on other sites More sharing options...
premiso Posted November 25, 2008 Share Posted November 25, 2008 Another thing you can do/think about is if the user tries x amount of times and is unsuccesful implement a captcha, sort of like google. Or even make them answer a secret question to give them 3 more tries before being able to login again. The latter requires you to require the user to have x amount of secret questions so you can display a random one every x attempts. But 5 minutes is usually acceptable by most users if not they email you so yea as long as your contact form works =) The other item to make sure you have is a password reset form that emails them a temp password, this way they can just get a new password =) Hope for the best for ya. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.