Three strikes login function.

[max_power]

Hi all,

 

I want to create a login function for my .hta file that allows the user to only make three invalid login attempts before he/she gets locked out. So the process is like the following:

 

If the login details do not exist, a session called $_SESSION[‘FailedLogin’] is created and is given the value of 1, while the  ‘Login failed – try again’ message appears to the user.  Basically, before showing the login form

I want to check if the value of $_SESSION[‘FailedLogin’]  is equal to 3. If it is not and the user fails their login again,  the value is updated by 1 again (so +1). If the value of $_SESSION[‘FailedLogin’] reads as 3 then the user will get a message ‘three login attempts failed – login now blocked’.

 

How would I create such a function? The fields in the userAuthentication table are UserID, Username and UserPassword.

 

Thanks,

Max

[ignace]

I want to create a login function for my .hta file that allows the user to only make three invalid login attempts before he/she gets locked out.

 

I wouldn't do that and display a CAPTCHA after 3 times instead. The reason for this is that my name is quite popular apparently and I always have to come up with different variations on my name which means that every time I login I have to go over multiple possibilities before I get it right to actually login.

[max_power]

Thanks for the reply.

 

Would the coding look something like this:

session_start();
$_SESSION['FailedLogin'];
mysql query...

If($result != 1)
{

echo "login failed";
$_SESSION['FailedLogin'] = $_SESSION['FailedLogin'] + 1;
if($_SESSION['FailedLogin'] == 3;)
{
//lock out user.

}
else
{
//redirect user back to login form code.
}

}

That is where I am getting confused. I can't map out the logic in code.

 

I will look into protecting the user passwords once I get this sorted.

[ignace]

Yes something like that, but like I said DON'T LOCK-OUT YOUR USER some valid users will require more then 3 times to log-in (like myself due to my name being "popular")

 

require_once('recaptchalib.php');

$enableCaptcha = FALSE;
if (array_key_exists(array('username', 'password'), $_POST)) {
  $username = mysql_real_escape_string($_POST['username']);
  $password = mysql_real_escape_string($_POST['password']);
  
  if (!array_key_exists('logon_tries', $_SESSION)) {
    $_SESSION['logon_tries'] = 1;
  } else {
    $_SESSION['logon_tries']++;
  }
  
  if ($_SESSION['logon_tries'] === 3) {
    $enableCaptcha = TRUE;//only show reCaptcha don't yet validate
  }
  
  if ($_SESSION['logon_tries'] > 3) {
    $enableCaptcha = TRUE;
    if (!array_key_exists(array('recaptcha_challenge_field', 'recaptcha_response_field'), $_POST)) {
      //user is messing with the HTML, lock him out
    }
    
    $privatekey = "...";
    $response = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"],
        $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]);

    if (!$response->is_valid) {
      //reCaptcha invalid.
    }
  }
}

if ($enableCaptcha) {
  $publickey = "..."; // you got this from the signup page
  echo recaptcha_get_html($publickey);
}

 

This will show a reCaptcha once the user enters login information for the third time.