PrinceOfDragons Posted September 8, 2009 Share Posted September 8, 2009 What is the best way to go by locking out a user if he/she fails to login after a number of attempts? Quote Link to comment https://forums.phpfreaks.com/topic/173599-failed-logins/ Share on other sites More sharing options...
mikesta707 Posted September 8, 2009 Share Posted September 8, 2009 temporarily banning the IP from logging in in my opinion. or via sessions/cookies, though cookies might be a less secure alternative Quote Link to comment https://forums.phpfreaks.com/topic/173599-failed-logins/#findComment-915071 Share on other sites More sharing options...
PrinceOfDragons Posted September 8, 2009 Author Share Posted September 8, 2009 Should have been more specific. Im already using the Ip ban, I have 4 functions. one to check the table guest users that hold there Ip, time, and login attempts. One to block them if the results return > 5. One to unlock the guest after 15 or so minutes. Well Ill keep working with my idea and post it later to have it reviewed. Im still new to php so I dont know the best way to do things . Quote Link to comment https://forums.phpfreaks.com/topic/173599-failed-logins/#findComment-915075 Share on other sites More sharing options...
PFMaBiSmAd Posted September 8, 2009 Share Posted September 8, 2009 You need a column in your user table to hold the failed attempt count. Increment the count for each failed log in attempt. If the correct username/password is entered before the count reaches the limit you pick, reset the count. When the value is equal or greater than the limit you pick, all attempts to log in should fail, even if the correct username/password is entered. The only way to reset the count in this case would be through an administrator page. The real user would need to email you to get the account unlocked. Quote Link to comment https://forums.phpfreaks.com/topic/173599-failed-logins/#findComment-915078 Share on other sites More sharing options...
PrinceOfDragons Posted September 8, 2009 Author Share Posted September 8, 2009 Ya I was going to do it that way but if you do it user specific a person can change names then start again and lock out everyones accounts . Thats the way I started off till I realized I should use a guest using ip address as primary key. I give a copy of the code for review after I finish it. Quote Link to comment https://forums.phpfreaks.com/topic/173599-failed-logins/#findComment-915090 Share on other sites More sharing options...
PrinceOfDragons Posted September 9, 2009 Author Share Posted September 9, 2009 Ok here is what I came up with, this shows how many ppl are online and keeps track of there failed attempts. Im just having one problem when the page is refreshed or first accessed the failed attempts accumulate, this will probably not happen after I incorporate it into my site. <?php session_start(); include('inc/constants.php'); $dCon = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error()); mysql_select_db(DB_NAME, $dCon) or die(mysql_error()); /*The Bugs: 1. The attempts accumulate on refresh or new page visit. (not sure what to do with this one) 2. Remove guest not properly functioning. (Fixed !!!) Table that the data goes in mysql_query("CREATE TABLE ".TBL_ACTIVE_GUESTS." (ipaddress varchar(15) primary key, lastvisit int(11), loginattempts int(11))") /* Sets the user up when they first enter the site */ class test{ /* Sets the Guest account up in the database */ function setGuest($ipaddress){ global $dCon; $time = date('his', time() +5); $sql = "INSERT INTO ".TBL_ACTIVE_GUESTS." (ipaddress, lastvisit) VALUES ('$ipaddress', '$time')"; mysql_query($sql, $dCon);} /* Detemines How many users are viewing the site */ function usersOnline(){ global $dCon; $sql = "SELECT * FROM ".TBL_ACTIVE_GUESTS; $results = mysql_query($sql, $dCon); echo 'There are '.mysql_num_rows($results).' user(s) online';} function checkGuest($ipaddress){ global $dCon; $sql = "SELECT lastvisit, loginattempts FROM ".TBL_ACTIVE_GUESTS." WHERE ipaddress = '$ipaddress'"; $result = mysql_query($sql, $dCon); return mysql_fetch_array($result);} function removeGuest(){ global $dCon; $sql = "SELECT * FROM ".TBL_ACTIVE_GUESTS; $results = mysql_query($sql, $dCon); while($row = mysql_fetch_array($results)){ if($row['lastvisit'] < date('his') && $row['lastvisit'] > -1){ mysql_query("DELETE FROM ".TBL_ACTIVE_GUESTS." WHERE lastvisit = ".$row['lastvisit']); echo $row['lastvisit']; echo '<br>';}}} function lockGuest($ipaddress, $post){ $time = date('his', time() +60); if($post != '5'){$_SESSION['attempts']++; mysql_query("UPDATE ".TBL_ACTIVE_GUESTS." SET loginattempts = ".$_SESSION['attempts']." WHERE ipaddress = '$ipaddress'"); echo '<br>'; echo 'You Failed To Login '.$_SESSION['attempts'].' times';} if($_SESSION['attempts'] > 5){mysql_query("UPDATE ".TBL_ACTIVE_GUESTS." SET lastvisit = '$time' WHERE ipaddress = '$ipaddress'"); echo 'Locked';}} function unlockGuest($ipaddress, $post){ $unlock = test::checkGuest($ipaddress); if($unlock[0] < date('his', time())){echo 'UnLocked'; session_unset(); mysql_query("UPDATE ".TBL_ACTIVE_GUESTS." SET loginattempts = '0' WHERE ipaddress = '$ipaddress'");}} /* End Of Class */} $ipaddress = $_SERVER['REMOTE_ADDR']; $now = test::checkGuest($ipaddress); test::setGuest($ipaddress); echo $now[0]; test::lockGuest($ipaddress, $_POST['test']); test::unlockGuest($ipaddress, $_POST['test']); test::removeGuest(); $unlock = test::checkGuest($ipaddress); echo '<br>'; echo $unlock[0]; ?> <form name="testform" method="post" action="test.php"> <input type="text" name="test" id="test" value="<?php echo $_POST['test']; ?>"> <input type="submit" name="button" id="button" value="Submit"> </form> Quote Link to comment https://forums.phpfreaks.com/topic/173599-failed-logins/#findComment-915744 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.