Jump to content

Prevent excess login attempts?

newbtophp

By newbtophp
in PHP Coding Help

 Share

Recommended Posts

newbtophp Advanced Member

newbtophp

Posted
Posted

I was wondering how would i prevent excess login attempts for e.g. like if failed login attempts are = to X amount of times then echo an error and make the person wait X minutes.

 

Im not looking for something advanced, something basic would do (atleast in this moment in time), was thinking perhaps sessions or cookies?

 

I already have the following code, which seems to work but only allows the login form to be submitted once, trying to modify it to fit my needs, any help is appreciated.

 

<?php

function prevent_multi_submit($type = "post", $excl = "validator") {
    $string = "";
    foreach ($_POST as $key => $val) {
        // this test is to exclude a single variable, f.e. a captcha value
        if ($key != $excl) {
            $string .= $val;
        }
    }
    if (isset($_SESSION['last'])) {
        if ($_SESSION['last'] === md5($string)) {
            return false;
        } else {
            $_SESSION['last'] = md5($string);
            return true;
        }
    } else {
        $_SESSION['last'] = md5($string);
        return true;
    }
}

if (isset($_POST)) {
    if ($_POST['field'] != "" && strlen < 25) { // place here the form validation and other controls
        if (prevent_multi_submit()) { // use the function before you call the database
            mysql_query("INSERT INTO tabel..."); // or send a mail like...
            mail($mailto, $sub, $body);
        } else {
            echo "The form is already processed";
        }
    } else {
        // your error about invalid fields
    }
}
?>

Link to comment
https://forums.phpfreaks.com/topic/200724-prevent-excess-login-attempts/
Share on other sites
stuartbates Newbie

stuartbates

Posted
Posted

You can't really use sessions to prevent excess login attempts because ultimately anyone remotely serious about mounting a brute force attack will simply disable cookies which will render your defences useless.  You really need to have a table in your database for invalid logins and then prevent people attempting once a threshold level has been reached.  You could do this based up account username and/or IP address... although again IP addresses can be spoofed and/or dynamically altered.

 

One method we often employ with our clients is to utilise php's sleep() function to implement a random delay... it won't have any impact upon a manual intruder but plays havoc with automated attacks.  And no answer on security would be complete without simply enforcing your users to have strong passwords in the first place.

 

Brute force attacks are often the least of your concerns when securing php applications.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.