Jump to content

Recommended Posts

You could have another column in your table, with "login_failed" "login_failed_time" and then every time the login for the user specified is incorrect, then add one.

 

You can then use an if statement to display some information to say the account is locked, before the lock, though, you should send an email.

 

Then, set up a CRON job to delete the login_failed_time value, and set the login_failed to 0.

 

 

Link to comment
https://forums.phpfreaks.com/topic/261480-login-things/#findComment-1339855
Share on other sites

Then, set up a CRON job to delete the login_failed_time value, and set the login_failed to 0.

Not needed - they can stay locked until the next time they try to log in, at which point the code should check if enough time has passed to allow them to attempt again.

Link to comment
https://forums.phpfreaks.com/topic/261480-login-things/#findComment-1339857
Share on other sites

Sorry i dont get this, someone (maybe not the account holder) tries to log in and is unsuccessful, so you lock that account.

What if it wasnt the actual person whoes account it is that was trying the log in, the original account holder is now locked out for 30 mins through no fault of thier own.

Better to have a seperate table, that logs unsuccessful tries, if someone is unsuccessful 3 times then ban thier ip for 30 mins.

Link to comment
https://forums.phpfreaks.com/topic/261480-login-things/#findComment-1339914
Share on other sites

Sorry i dont get this, someone (maybe not the account holder) tries to log in and is unsuccessful, so you lock that account.

What if it wasnt the actual person whoes account it is that was trying the log in, the original account holder is now locked out for 30 mins through no fault of thier own.

Better to have a seperate table, that logs unsuccessful tries, if someone is unsuccessful 3 times then ban thier ip for 30 mins.

 

How will this stop users who can attack the form with a different IP per request.

 

This is why a mail is sent.

 

The user can deal with a 30 minute lock-out, or have their password brute-forced.

 

The only issue here is someone could theoretically deny a user form ever accessing their account. They'd have to really piss off someone with a botnet to take it this far though.

Link to comment
https://forums.phpfreaks.com/topic/261480-login-things/#findComment-1339971
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.