About PHP cookies

[Nasratullah]

I am trying to set a cookie for my login_system so that when a user enters wrong email or password for three time than I set a cookie for ten minutes I have done that now I want to check that cookie if it is expired if it is than I will let user to try again if not I will keep his account lock for like ten minutes how to do it?

[mac_gyver]

if you use a cookie or the session to hold this data, it can be bypassed by simply deleting the cookie or not propagating the cookie or session id cookie between requests. you must store this data persistently on the server, in a database table.

next, you are not trying to lock the account, you are preventing login attempts for an account, from a device (client type) and its location (ip). if you actually lock the account, it will allow someone to log out and lock out a legitimate user, by just making a bunch of bad login attempts for an account.

once you have stored the data in a database table, on each login attempt, you would query to find if, how many, and how long ago the bad login attempts were for the account, for the device (client type) and its location (ip). If the current time is greater than the time limit you have chosen from the last bad attempt, you would process the login attempt.

[gizmola]

Great advice from mac_gyver.

As it happens, there is another recent thread that overlaps here you should check out, as it includes advice on how to design the database structure you can add that will facilitate the type of server side login restriction mechanism.