Rommeo Posted November 15, 2009 Share Posted November 15, 2009 I want my website's members to enter the text(captcha) to the box if they enter their passwords wrong three times. How can I count the number of failed attempts ? Where should I save the count ? file ? session ? cookie ? db ? where is the most secure place ? Thanks in advance Quote Link to comment Share on other sites More sharing options...
Alex Posted November 15, 2009 Share Posted November 15, 2009 I'd go with sessions. They're stored on the server so they're secure. Cookies are insecure, flatfiles and databases are going overboard for something so trivial. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 15, 2009 Share Posted November 15, 2009 Replace "vote again" an the following link with "continue trying passwords" - http://www.phpfreaks.com/forums/index.php/topic,276805.msg1309214.html#msg1309214 The data in the session might be secure but a hacker can drop the current session (thereby clearing the failed login in count) and just keep trying passwords until he finds one that works. Quote Link to comment Share on other sites More sharing options...
Alex Posted November 15, 2009 Share Posted November 15, 2009 Wow, I must not be thinking.. I feel really stupid for not realizing that.. Quote Link to comment Share on other sites More sharing options...
Rommeo Posted November 15, 2009 Author Share Posted November 15, 2009 So I think, DB is the best place for to store the count and I think one row is enough. Should I keep the record of failed-attempt-time ? Any ideas ? Quote Link to comment Share on other sites More sharing options...
wee493 Posted November 15, 2009 Share Posted November 15, 2009 So I think, DB is the best place for to store the count and I think one row is enough. Should I keep the record of failed-attempt-time ? Any ideas ? This is what I would do... Every time a user has a failed login record their IP and unix time in a table. At the top of your login page do a check for failed logins where the current time - failed login time is less than 900 (15 min in seconds). Then count the rows. If the # is > or = to 3 then show them an error. very quick example $oldest_fail_time = date("U") - 900; $query = mysql_query("SELECT time FROM failed_login WHERE ip = '$ip' AND time > '$oldest_fail_time'"); if ($mysql_num_rows($query) == '3'){ echo '<h1>Hacker Alert!</h1>'; die(); } Quote Link to comment Share on other sites More sharing options...
phpSensei Posted November 15, 2009 Share Posted November 15, 2009 Replace "vote again" an the following link with "continue trying passwords" - http://www.phpfreaks.com/forums/index.php/topic,276805.msg1309214.html#msg1309214 The data in the session might be secure but a hacker can drop the current session (thereby clearing the failed login in count) and just keep trying passwords until he finds one that works. May I ask if the user can drop the current session, would this mean like exiting the browser, clearing cookies and such then coming back to the website? Quote Link to comment Share on other sites More sharing options...
Alex Posted November 15, 2009 Share Posted November 15, 2009 Normally just closing the browser will end a session, although it does on certain settings. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.