Jump to content

Recommended Posts

How can I implement failed attempts with "x" amount of times into the login script below. Solely locking on a IP/username basis. I set up a separate DB like this failed_logins: IP/uusername/failed_attempts 

The login script:

 

<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")

// username and password sent from Form
$myusername=mysql_real_escape_string($_POST['username']); 
$mypassword=mysql_real_escape_string($_POST['password']); 
$passcode="Some Hashing Done Here"; // Encrypted Password
if (($strUser != "$myusername")&&($strPassword != "$passcode")){
   $sql="SELECT id FROM user WHERE username='".$myusername."' and password='".$passcode."'";
   $result=mysql_query($sql);
   $count=mysql_num_rows($result);
   if($count==1){
      $_SESSION['myusername'];
	  $_SESSION['login_user']=$myusername;
      header("location: index.php");
      }
   else{
       $error="Your Login Name or Password is invalid";
   }
}

?>

 

Link to comment
https://forums.phpfreaks.com/topic/276928-failed-attempts/
Share on other sites

i would store the ip, username, and datetime of each failed login attempt (one row for each attempt) so that you will know the timing (how old they are and how close together they are) of each attempt. you could eventually add logic to detect attempts too close together that are from a bot script and "hard" (without an automatic reset) lockout an ip/username combination.

 

to "soft" (with an automatic reset) lockout an ip/username combination you would get a count x of the rows in the last y amount of time. this "soft" lockout method would allow new attempts from an ip address as the datetime of the stored attempts "age" and become older than the y amount of time. you would probably want to have a backup "hard" lockout for this method to detect when someone is making a large number of attempts that are slow enough to not trigger a "soft" lockout at all or if there have been a number of "soft" lockouts triggered.

 

if you want to only "hard" lockout an ip/username combination, just get a total count of the rows (not looking at the datetime). if it's over x, consider the ip/username combination locked out.

 

a "hard" lockout would require some administrative action to clear it, such as an actual administrator on the site to unlock the ip/username combination or perhaps send an email to the actual user when an ip/username lockout occurs that would both alert him that this is happening to his account and if it is the actual user that got locked out to provide him with a reset link in the email.

Link to comment
https://forums.phpfreaks.com/topic/276928-failed-attempts/#findComment-1424684
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.