Glenskie Posted April 23, 2012 Share Posted April 23, 2012 ok so i have my login page all set up and working good , but i want to add a special thing to where after 3 login attempts it locks the account for like 30 mins , and notifies the use by email that someone is trying to login and failed... what would be the best way to do this? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 23, 2012 Share Posted April 23, 2012 You would add columns to your database `user` table to keep track of the count of failed log in attempts and the date/time when the account was locked out. Quote Link to comment Share on other sites More sharing options...
NLT Posted April 23, 2012 Share Posted April 23, 2012 You could have another column in your table, with "login_failed" "login_failed_time" and then every time the login for the user specified is incorrect, then add one. You can then use an if statement to display some information to say the account is locked, before the lock, though, you should send an email. Then, set up a CRON job to delete the login_failed_time value, and set the login_failed to 0. Quote Link to comment Share on other sites More sharing options...
Jessica Posted April 23, 2012 Share Posted April 23, 2012 Then, set up a CRON job to delete the login_failed_time value, and set the login_failed to 0. Not needed - they can stay locked until the next time they try to log in, at which point the code should check if enough time has passed to allow them to attempt again. Quote Link to comment Share on other sites More sharing options...
merylvingien Posted April 23, 2012 Share Posted April 23, 2012 Sorry i dont get this, someone (maybe not the account holder) tries to log in and is unsuccessful, so you lock that account. What if it wasnt the actual person whoes account it is that was trying the log in, the original account holder is now locked out for 30 mins through no fault of thier own. Better to have a seperate table, that logs unsuccessful tries, if someone is unsuccessful 3 times then ban thier ip for 30 mins. Quote Link to comment Share on other sites More sharing options...
xyph Posted April 23, 2012 Share Posted April 23, 2012 Sorry i dont get this, someone (maybe not the account holder) tries to log in and is unsuccessful, so you lock that account. What if it wasnt the actual person whoes account it is that was trying the log in, the original account holder is now locked out for 30 mins through no fault of thier own. Better to have a seperate table, that logs unsuccessful tries, if someone is unsuccessful 3 times then ban thier ip for 30 mins. How will this stop users who can attack the form with a different IP per request. This is why a mail is sent. The user can deal with a 30 minute lock-out, or have their password brute-forced. The only issue here is someone could theoretically deny a user form ever accessing their account. They'd have to really piss off someone with a botnet to take it this far though. Quote Link to comment Share on other sites More sharing options...
Drummin Posted April 23, 2012 Share Posted April 23, 2012 I always have session stored for login attempts, after three or whatever amount I set, processing and form is closed. Browser must be closed for retry. Quote Link to comment Share on other sites More sharing options...
xyph Posted April 23, 2012 Share Posted April 23, 2012 I always have session stored for login attempts, after three or whatever amount I set, processing and form is closed. Browser must be closed for retry. Sessions use cookies. If a user wipes her cookies, she also wipes her session. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.