frank_solo Posted April 14, 2013 Share Posted April 14, 2013 How can I implement failed attempts with "x" amount of times into the login script below. Solely locking on a IP/username basis. I set up a separate DB like this failed_logins: IP/uusername/failed_attempts The login script: <?php include("config.php"); session_start(); if($_SERVER["REQUEST_METHOD"] == "POST") // username and password sent from Form $myusername=mysql_real_escape_string($_POST['username']); $mypassword=mysql_real_escape_string($_POST['password']); $passcode="Some Hashing Done Here"; // Encrypted Password if (($strUser != "$myusername")&&($strPassword != "$passcode")){ $sql="SELECT id FROM user WHERE username='".$myusername."' and password='".$passcode."'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ $_SESSION['myusername']; $_SESSION['login_user']=$myusername; header("location: index.php"); } else{ $error="Your Login Name or Password is invalid"; } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/276928-failed-attempts/ Share on other sites More sharing options...
mac_gyver Posted April 14, 2013 Share Posted April 14, 2013 i would store the ip, username, and datetime of each failed login attempt (one row for each attempt) so that you will know the timing (how old they are and how close together they are) of each attempt. you could eventually add logic to detect attempts too close together that are from a bot script and "hard" (without an automatic reset) lockout an ip/username combination. to "soft" (with an automatic reset) lockout an ip/username combination you would get a count x of the rows in the last y amount of time. this "soft" lockout method would allow new attempts from an ip address as the datetime of the stored attempts "age" and become older than the y amount of time. you would probably want to have a backup "hard" lockout for this method to detect when someone is making a large number of attempts that are slow enough to not trigger a "soft" lockout at all or if there have been a number of "soft" lockouts triggered. if you want to only "hard" lockout an ip/username combination, just get a total count of the rows (not looking at the datetime). if it's over x, consider the ip/username combination locked out. a "hard" lockout would require some administrative action to clear it, such as an actual administrator on the site to unlock the ip/username combination or perhaps send an email to the actual user when an ip/username lockout occurs that would both alert him that this is happening to his account and if it is the actual user that got locked out to provide him with a reset link in the email. Quote Link to comment https://forums.phpfreaks.com/topic/276928-failed-attempts/#findComment-1424684 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.