Prevent excess login attempts?

[newbtophp]

I was wondering how would i prevent excess login attempts for e.g. like if failed login attempts are = to X amount of times then echo an error and make the person wait X minutes.

 

Im not looking for something advanced, something basic would do (atleast in this moment in time), was thinking perhaps sessions or cookies?

 

I already have the following code, which seems to work but only allows the login form to be submitted once, trying to modify it to fit my needs, any help is appreciated.

 

<?php

function prevent_multi_submit($type = "post", $excl = "validator") {
    $string = "";
    foreach ($_POST as $key => $val) {
        // this test is to exclude a single variable, f.e. a captcha value
        if ($key != $excl) {
            $string .= $val;
        }
    }
    if (isset($_SESSION['last'])) {
        if ($_SESSION['last'] === md5($string)) {
            return false;
        } else {
            $_SESSION['last'] = md5($string);
            return true;
        }
    } else {
        $_SESSION['last'] = md5($string);
        return true;
    }
}

if (isset($_POST)) {
    if ($_POST['field'] != "" && strlen < 25) { // place here the form validation and other controls
        if (prevent_multi_submit()) { // use the function before you call the database
            mysql_query("INSERT INTO tabel..."); // or send a mail like...
            mail($mailto, $sub, $body);
        } else {
            echo "The form is already processed";
        }
    } else {
        // your error about invalid fields
    }
}
?>

[stuartbates]

You can't really use sessions to prevent excess login attempts because ultimately anyone remotely serious about mounting a brute force attack will simply disable cookies which will render your defences useless.  You really need to have a table in your database for invalid logins and then prevent people attempting once a threshold level has been reached.  You could do this based up account username and/or IP address... although again IP addresses can be spoofed and/or dynamically altered.

 

One method we often employ with our clients is to utilise php's sleep() function to implement a random delay... it won't have any impact upon a manual intruder but plays havoc with automated attacks.  And no answer on security would be complete without simply enforcing your users to have strong passwords in the first place.

 

Brute force attacks are often the least of your concerns when securing php applications.