someguy321 Posted October 1, 2010 Share Posted October 1, 2010 I want to limit the number of incorrect login attempts within a specified time period (e.g. 15 minutes). I'm wondering what I should tie those attempts to. e.g. If too many attempts from one ip address for a specific username, lock them out for 15 minutes? Or too many attempts from any ip address for a specific username? Or too many attempts for an ip address matched loosely (i.e. 255.255.255.0 matching) with a specific username? What's the best choice? Just too many attempts for a username? Or also use the ip address? And should I store the attempts in the session, or the DB? Quote Link to comment Share on other sites More sharing options...
coupe-r Posted October 1, 2010 Share Posted October 1, 2010 Have a column in your DB that increments on bad attempts. At 10 attempts, lock the account. On a good atempt log them in and reset the attempts column Quote Link to comment Share on other sites More sharing options...
someguy321 Posted October 1, 2010 Author Share Posted October 1, 2010 Have a column in your DB that increments on bad attempts. At 10 attempts, lock the account. On a good atempt log them in and reset the attempts column Sure, I understand, but my question is what makes an attempt? Simply a username? Or a username from a specific ip? For example, consider the following two cases: 1. Person at ip 192.168.1.100 tried to login to "fakeuser" 2. Person at ip 192.168.1.100 tried to login to "fakeuser" 3. Person at ip 192.168.1.95 tried to login to "fakeuser" Is this 3 attempts on "fakeuser"? Or is it two attempts by the first ip, and only 1 attempt by the second ip? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.