Navees_ Posted January 5, 2015 Share Posted January 5, 2015 hope you all had a good Christmas/New Year. I'm creating a a login attempt piece of code for my website portal. The idea behind it is, if a user enters a password incorrectly 5 times consecutively within a 24 hour period, the system should lock them out for 48 hours. I have created the table in mysql for it, and written up some code, but im struggling to do the login attempt side of things. Here is a snippet of the code for the login attempt: if (! (isset($pw_ok) && $pw_ok)) { if (isset($_SERVER["REMOTE_ADDR"])) { $str_RemoteHost = $_SERVER["REMOTE_ADDR"]; } else { $str_RemoteHost = ''; } $errors->defineError("invalid_user_pass", "Your username or password is invalid. Please try again.", array("username","password")); $qry = " INSERT INTO cms_user_login_attempts ( cula_user_id, cula_date_time, cula_remote_host ) VALUES ( " . $db->SQLString($row->user_id) . ", Now(), " . $db->SQLString($str_RemoteHost, true) . " )"; $db->query($qry); } edit: Is it possible someone could help me with writing the code so that it is able to count the amount of attempts a specific user has made, check the database for how many attempts within the 24hr period and if the person has 5 attempts, lock them out. Also if a user enters the correct password within the 5 attempts, i want the attempts to reset for that user. Quote Link to comment Share on other sites More sharing options...
Zane Posted January 5, 2015 Share Posted January 5, 2015 It is possible indeed. Create two columns in your user table: one for last attempt time, and another for fail count. When a user attempts to login perform the following logic. Check to see if the last attempt time is greater than 48 hours, if not, check the fail count for >= 5. If the logic passes and does show that there is no "lock", then reset fail count to 0. Then continue with your successful login script. Quote Link to comment Share on other sites More sharing options...
Navees_ Posted January 5, 2015 Author Share Posted January 5, 2015 It is possible indeed. Create two columns in your user table: one for last attempt time, and another for fail count. When a user attempts to login perform the following logic. Check to see if the last attempt time is greater than 48 hours, if not, check the fail count for >= 5. If the logic passes and does show that there is no "lock", then reset fail count to 0. Then continue with your successful login script. Hello, I have already created the table, the code writes to the database if the password is incorrect. I'm just stuck on the part the of the code finding the amount of bad attempts, checking it within a time period etc. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 5, 2015 Share Posted January 5, 2015 Not sure what your code sample is telling me but here is how I would do it, if I had to: - you have a login/user table that holds the user id and the encrypted password. - add to this a datetime field for when a first attempt to login happens - add also a counter for attempts made - grab the user id and password from the user - encrypt the password and then query the login/user table for the record that matches the userid - if you get a record for the id then check the password for a match - if you don't match the password or the record is not found issue a message to the user and setup the input form for them again. if the record exists for the user then update the record with the number of attempts (add 1) and if the datetime has not been set or is outside 48 hrs old, set the current date/time in there. When the attempts reach 5 and the datetime is within 24 hours then reject the logon. - if the record is found and the password matches, then the user is logged in - delete the datetime value and the attempts in the table. Hope this makes sense. Play with it and you'll figure it out. As I said I just made this up and have never done this, but this should work. Of course there are others out there who may find fault with it. BTW - what do you need remote_addr for? You're not trying to limit the attempts to just one ip are you? A guy could try 5 times from one pc and then move to another device and start over, no? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 5, 2015 Share Posted January 5, 2015 Locking out a user for 48 hours is insane. This allows anybody to lock out your entire userbase simply by repeatedly entering wrong passwords. It's denial-of-service made easy. We've discussed this topic back and forth in the last few weeks, so you should search the forum for it. My personal stance is that log-in limits are complicated, user-hostile and ineffective. Before you do anything, I strongly recommend that you actually think about the problem: What are you trying to achieve? Does a log-in limit really solve your problem? Is there maybe a better solution? So what are you trying to achieve? Why would you want your poor users to wait for 2 frigging days before they can access their account again? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.