login things

[Glenskie]

ok so i have my login page all set up and working good , but i want to add a special thing to where after 3 login attempts it locks the account for like 30 mins , and notifies the use by email that someone is trying to login and failed... what would be the best way to do this?

[PFMaBiSmAd]

You would add columns to your database `user` table to keep track of the count of failed log in attempts and the date/time when the account was locked out.

[NLT]

You could have another column in your table, with "login_failed" "login_failed_time" and then every time the login for the user specified is incorrect, then add one.

 

You can then use an if statement to display some information to say the account is locked, before the lock, though, you should send an email.

 

Then, set up a CRON job to delete the login_failed_time value, and set the login_failed to 0.

 

 

[Jessica]

  Quote

Then, set up a CRON job to delete the login_failed_time value, and set the login_failed to 0.

Not needed - they can stay locked until the next time they try to log in, at which point the code should check if enough time has passed to allow them to attempt again.

[merylvingien]

Sorry i dont get this, someone (maybe not the account holder) tries to log in and is unsuccessful, so you lock that account.

What if it wasnt the actual person whoes account it is that was trying the log in, the original account holder is now locked out for 30 mins through no fault of thier own.

Better to have a seperate table, that logs unsuccessful tries, if someone is unsuccessful 3 times then ban thier ip for 30 mins.

[xyph]

  Quote

Sorry i dont get this, someone (maybe not the account holder) tries to log in and is unsuccessful, so you lock that account.

What if it wasnt the actual person whoes account it is that was trying the log in, the original account holder is now locked out for 30 mins through no fault of thier own.

Better to have a seperate table, that logs unsuccessful tries, if someone is unsuccessful 3 times then ban thier ip for 30 mins.

 

How will this stop users who can attack the form with a different IP per request.

 

This is why a mail is sent.

 

The user can deal with a 30 minute lock-out, or have their password brute-forced.

 

The only issue here is someone could theoretically deny a user form ever accessing their account. They'd have to really piss off someone with a botnet to take it this far though.

[Drummin]

I always have session stored for login attempts, after three or whatever amount I set, processing and form is closed.  Browser must be closed for retry.

[xyph]

  Quote

I always have session stored for login attempts, after three or whatever amount I set, processing and form is closed.  Browser must be closed for retry.

 

Sessions use cookies. If a user wipes her cookies, she also wipes her session.