Limit Login attempt _script help

[dingi]

The index.php is used to login to my admin panel to create forms myself. But this admin login needs brute-force protection. So I decided to limit the number of login attempts to 3. I tried the code below but could not get it work

The Code I tried is: (Login limit code)

if($login_incorrect){

    if(isset($_COOKIE['login'])){

          if($_COOKIE['login'] < 3){

              $attempts = $_COOKIE['login'] + 1;

              setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored

          } else{

              echo 'You are banned for 10 minutes. Try again later';

          }

    } else{

          setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1

    }

}

The above code or similar code needs to be inserted in the index.php. Please see the index.php code below:

 

if(!empty($_SESSION['logged_in']) && $_SESSION['logged_in'] == true){

header("Location: http{$ssl_suffix}://".$_SERVER['HTTP_HOST'].get_dirname($_SERVER['PHP_SELF'])."/manage_form.php");

exit;

}

 

if(!empty($_POST['submit'])){

$username = trim($_POST['admin_username']);

$password = trim($_POST['admin_password']);

if(($username != ADMIN_USER) || ($password != ADMIN_PASSWORD)){

$_SESSION['AP_LOGIN_ERROR'] = 'Please enter the correct user and password!';

}else{

$_SESSION['logged_in'] = true;

 

if(!empty($_SESSION['prev_referer'])){

$next_page = $_SESSION['prev_referer'];

 

unset($_SESSION['prev_referer']);

header("Location: http{$ssl_suffix}://".$_SERVER['HTTP_HOST'].$next_page);

 

exit;

}else{

header("Location: http{$ssl_suffix}://".$_SERVER['HTTP_HOST'].get_dirname($_SERVER['PHP_SELF'])."/manage_form.php");

exit;

}

}

}

 

if(!empty($_GET['from'])){

$_SESSION['prev_referer'] = base64_decode($_GET['from']);

}

 

$hide_nav = true;

 

?>]

I don't know where to insert the " login limit code" in the index.php Also it seems that the "login limit code" definitions doesn't match with definitions of the code in the index.php. I am stuck up at this point not knowing how to alter the "Login limit code" and insert it in appropriate place in the index.php. Please read both the codes above and help me implement it to work.  Expecting someone to solve it. Thanks

 

[Adam]

You shouldn't rely on cookies to track a users login attempt. Mainly because if it's a brute-force attack, and even if an actual browser was used (for example using the FireForce Fx add-on), cookies just simply wouldn't be accepted or would be dumped after every request. Also any standard user could just delete their cookies and start again. Sessions are retained through a cookie, or through a URL, so again are not useful here.

 

You need to implement a back-end system that is unavoidable by the user. Track them by their IP/user-agent. Lock any accounts for a period of time that have more than x amount of login attempts. Request a captcha after the first or second failed login attempts. These are just a few ideas, but cookies are not the way to go!

[dingi]

Thank you for you timely response in explaining me the drawback of using cookie as the basis for blocking login attempts. Your suggestion of using IP address to do this is correct. But can you give some tips as to how to go about it with some php codes? thanks

[Adam]

I'll not give you the code as there's probably millions of examples available on the net. You first need to plan, in English, the logic behind your own script. If you can get the logic down then converting it to PHP is the easy bit. So for example first think about how you'll structure your database table(s); what information do you need, how will you identify users and also how will you link them to a specific account.

 

Personally I would have a simple table "login_attemps" - storing the user's IP, the account they tried to log into, and finally the 'datetime' stamp of the attempt. When an invalid attempt is made, insert the attempt and then perform a query on this table based on the user's IP and within a specific time range. You can then run analysis on this data and using your own 'algorithms' detect what to do next. If banning permanently/temporarily the IP is required, then do that; else warn the user they have made x amount of invalid login attempts and request a CAPTCHA-based confirmation they're human. It would be good measure to also temporarily block the users' affected accounts in-case the malicious user accesses the site through a different IP.

 

That's a very broad outline obviously, but just go through it one step at a time. Start with the database, insert the login attempt row, perform the analysis, etc. You'll find it much easier if you take it one step a time and gradually build it up.