Jump to content

How to do this ?-captcha after 3 times.

Rommeo

By Rommeo
in PHP Coding Help

 Share

Recommended Posts

Rommeo Advanced Member

Rommeo

Posted
Posted

I want my website's members to enter the text(captcha) to the box if they enter their passwords wrong three times.

 

How can I count the number of failed attempts ? Where should I save the count  ? file ? session ? cookie ? db ? where is the most secure place ?

 

Thanks in advance

Link to comment
https://forums.phpfreaks.com/topic/181574-how-to-do-this-captcha-after-3-times/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Replace "vote again" an the following link with "continue trying passwords" - http://www.phpfreaks.com/forums/index.php/topic,276805.msg1309214.html#msg1309214

 

The data in the session might be secure but a hacker can drop the current session (thereby clearing the failed login in count) and just keep trying passwords until he finds one that works.

wee493 Member

wee493

Posted
Posted

So I think, DB is the best place for to store the count and I think one row is enough.

Should I keep the record of failed-attempt-time ?

 

Any ideas ?

 

This is what I would do...

 

Every time a user has a failed login record their IP and unix time in a table. At the top of your login page do a check for failed logins where the current time - failed login time is less than 900 (15 min in seconds). Then count the rows. If the # is > or = to 3 then show them an error.

 

very quick example

$oldest_fail_time = date("U") - 900;

$query = mysql_query("SELECT time FROM failed_login WHERE ip = '$ip' AND time > '$oldest_fail_time'");

if ($mysql_num_rows($query) == '3'){
echo '<h1>Hacker Alert!</h1>';
die();
}

 

phpSensei Advanced Member

phpSensei

Posted
Posted

Replace "vote again" an the following link with "continue trying passwords" - http://www.phpfreaks.com/forums/index.php/topic,276805.msg1309214.html#msg1309214

 

The data in the session might be secure but a hacker can drop the current session (thereby clearing the failed login in count) and just keep trying passwords until he finds one that works.

 

May I ask if the user can drop the current session, would this mean like exiting the browser, clearing cookies and such then coming back to the website?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.