limitphp Posted February 6, 2009 Share Posted February 6, 2009 I'm using a login system as described by thorpe and others from this board. I check for sessions, if set, I get their user variables from the session variables. If no sessions, I check for tempLogin cookie, if set, I get user variables from that and delete the cookie and set a new one and set session variables. If they login from a form (user, password), I check their user/pass in the database, if good, I set user session variables. Right now, I don't have any kind of limit as to how many times they can login. Is there a best practice method to limit login attempts used? thanks Link to comment https://forums.phpfreaks.com/topic/144131-best-practice-to-limit-number-of-login-attempts/ Share on other sites More sharing options...
dennismonsewicz Posted February 6, 2009 Share Posted February 6, 2009 this is just thinking off the top of my head but i reckon you could set a session variable for lets say try (or something like that) and then for every attempt that is wrong add a number to it and after a set number of tries it locks the account or something Link to comment https://forums.phpfreaks.com/topic/144131-best-practice-to-limit-number-of-login-attempts/#findComment-756272 Share on other sites More sharing options...
printf Posted February 6, 2009 Share Posted February 6, 2009 Well if use a session table, then when they login, delete any session row that contains that userid. That way each account cannot share logins. To restrict login attempts... Create a table that is based of the users IP, then count how many attempts have been made by that IP, if they reach the maximum attempts, block their ip through scripting or using Apache. I have a simple htaccess file that contains a (deny list), that gets cleaned by a CRON JOB, so I don't have to check on users that have already been blocked. Link to comment https://forums.phpfreaks.com/topic/144131-best-practice-to-limit-number-of-login-attempts/#findComment-756273 Share on other sites More sharing options...
limitphp Posted February 9, 2009 Author Share Posted February 9, 2009 Well if use a session table, then when they login, delete any session row that contains that userid. How do you delete rows within a session table? That way each account cannot share logins. To restrict login attempts... Create a table that is based of the users IP, I figure alot of users of my site will be at colleges, etc..... wouldn't everyone in a dorm have the same IP address if they are using the college network? Maybe preventing number of login attempts isn't what I should be focused on, maybe I should prevent a certain number of attempts by username? So, after so many tries of logging in with a username lock that username for about 5 minutes? I'm new to this, so any suggestions are very welcomed. Link to comment https://forums.phpfreaks.com/topic/144131-best-practice-to-limit-number-of-login-attempts/#findComment-758191 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.