help with login page

[dmcdivitt]

I'm making a PHP page. If a login session variable is not set it will display a login prompt, otherwise do rest of page. If the correct password is entered it will set session variable and proceed. My question is, how do I prevent someone from clicking submit infinite times on the login? I want to disable the page for the IP address if three consecutive invalid passwords are entered, for probably 15 minutes. Do I maintain a file on disk? Thanks

 

[uniflare]

You could use a cookie/a database/ a flat file or a session.

 

the most secure probably being a database, only thing is if you block someones ip address, chances are someone else will have that ip address a day or even a few hours later - you would want to save the current hostname too, so you can check if the hostname has changed, more than likely the ip address has changed computers also.

 

Cookies can be Deleted/Rejected/Modified, Sessions can be created and destroyed, only flat file and database options are secure, and i would say only a true database is suitable or efficient.

 

IP Address as ive pointed out is not a permanent id, and you may end up with a long banlist of peoples who shouldnt be banned. You could get around this with a cron job or a timed execution (timed execution would be when the website is actually viewed it will check for any ip addresses that are more than 30 minutes old). (30 minute wait period might even be too long).

[dmcdivitt]

Thanks! I'm just getting started with PHP though I've done a lot of .net and java. I see there's no way to have any persistent object to survive between threads. A disk file will work. Each invalid password will manage the disk file and delete anything over 15 minutes old. The point is not to provide accountability but prevent people from playing with the page.