BrandonE97 Posted June 30, 2007 Share Posted June 30, 2007 I've been googleing for help in stopping repeated login attempts but haven’t found anything to help start me out. Could someone help me or point me in the right direction? Thanks! Quote Link to comment Share on other sites More sharing options...
metrostars Posted June 30, 2007 Share Posted June 30, 2007 What do you want done, ifthe person logs in 3 times unsuccessfully, he gets stopped from logging in for 30 mins or so? Quote Link to comment Share on other sites More sharing options...
BrandonE97 Posted June 30, 2007 Author Share Posted June 30, 2007 Yea, like 2 or 3 login attempts then a 30 minute wait or so. Quote Link to comment Share on other sites More sharing options...
Hypnos Posted June 30, 2007 Share Posted June 30, 2007 You can use sessions, or if you really want to be aggressive, make a login_error table, and log IPs. session_start(); if($_SESSION['errorcount']) { $_SESSION['errorcount']++; } else { $_SESSION['errorcount']= 1; } if($_SESSION['errorcount'] > 3) { die("Get out of here, loser."); } else { // Login } Of course, they can break it by clearing their cookies. Quote Link to comment Share on other sites More sharing options...
BrandonE97 Posted June 30, 2007 Author Share Posted June 30, 2007 How would I go about on that database table? Quote Link to comment Share on other sites More sharing options...
Hypnos Posted June 30, 2007 Share Posted June 30, 2007 Insert a row for every failed login, with the IP and date. Then, to see if they have permission to login, do a query for their IP, with NOW - 30 minutes ago for date. If there are 3 results, don't let them login. You probably want to have a cron job to truncate the table. But, that depends on how active your site is. Quote Link to comment Share on other sites More sharing options...
BrandonE97 Posted June 30, 2007 Author Share Posted June 30, 2007 Would it be better to log IP and Port or just IP? Quote Link to comment Share on other sites More sharing options...
Hypnos Posted June 30, 2007 Share Posted June 30, 2007 I'm not sure what you're asking. Port will always be 80 (or 443 for SSL). It's a website. Quote Link to comment Share on other sites More sharing options...
redarrow Posted June 30, 2007 Share Posted June 30, 2007 And port 8080. Quote Link to comment Share on other sites More sharing options...
BrandonE97 Posted June 30, 2007 Author Share Posted June 30, 2007 The server sends the data to the host on 80 but the host can ask the server on any port. If you have mulitple computers behind one IP address then the ports will be different for each computer when it ask for the page. Quote Link to comment Share on other sites More sharing options...
Hypnos Posted June 30, 2007 Share Posted June 30, 2007 The server sends the data to the host on 80 but the host can ask the server on any port. If you have mulitple computers behind one IP address then the ports will be different for each computer when it ask for the page. It's the reverse of that. Hosts send the request on 80. But to answer the question, there's no need to log any port information. Quote Link to comment Share on other sites More sharing options...
BrandonE97 Posted June 30, 2007 Author Share Posted June 30, 2007 Thanks for all your help. Quote Link to comment Share on other sites More sharing options...
redarrow Posted June 30, 2007 Share Posted June 30, 2007 Here an example if th user put in a name what is not god or 1234 afther 3 attempts there kicked out. couldnt get the 30min stay out with a seesion theo sorry. <?php session_start(); if(empty($name) && empty($password)){ $x=$_SERVER['PHP_SELF']; echo<<<form <center> Please fill out all the form! <p></p> <form method="POST" action="$x"> <br><br> Name <br> <input type="text" name="name"> <br><br> Password <br> <input type="password" name="password"> <br><br> <input type="submit" name="submit" value="Send"> </form> </center> form; session_destroy(); unset($_SESSION['name']); unset($_SESSION['count']); unset($_SESSION['ip']); exit; } if($_POST['submit']){ if($_SESION['count']=0){ }else{ $_SESSION['count']++; } if( ($_SESSION['count']==3) && ($name!="god") && (!$password!="1234") ){ echo"<center> <h1>Sorry you submitted to many times </h1> </center>"; unset($_SESSION['count']); exit; }elseif($name=="god" && $password=="1234"){ echo"congrateulation's your in!"; } } $x=$_SERVER['PHP_SELF']; echo<<<form <center> Please login cheers! <p></p> <form method="POST" action="$x"> <br><br> Name <br> <input type="text" name="name"> <br><br> Password <br> <input type="password" name="password"> <br><br> <input type="submit" name="submit" value="Send"> </form> </center> form; ?> Quote Link to comment Share on other sites More sharing options...
redarrow Posted June 30, 2007 Share Posted June 30, 2007 mini upgrade sorry admin modify post run's out to quick. <?php session_start(); //database connection //select staement //while loop //set while condition to the get_time varable. $get_time= // add your my sql time varable. if(($_SESSION['time_out'] < $get_time)){ echo "sorry wait 2 minutes"; exit; } if(empty($name) && empty($password)){ $x=$_SERVER['PHP_SELF']; echo<<<form <center> Please fill out all the form! <p></p> <form method="POST" action="$x"> <br><br> Name <br> <input type="text" name="name"> <br><br> Password <br> <input type="password" name="password"> <br><br> <input type="submit" name="submit" value="Send"> </form> </center> form; session_destroy(); unset($_SESSION['name']); unset($_SESSION['count']); unset($_SESSION['ip']); exit; } if($_POST['submit']){ if($_SESION['count']=0){ }else{ $_SESSION['count']++; } if( ($_SESSION['count']==3) && ($name!="god") && (!$password!="1234") ){ $_SESSION['time_out']=time()+160; // set how long user stays out echo"<center> <h1>Sorry you submitted to many times </h1> </center>"; unset($_SESSION['count']); exit; }elseif($name=="god" && $password=="1234"){ echo"congrateulation's your in!"; } } $x=$_SERVER['PHP_SELF']; echo<<<form <center> Please login cheers! <p></p> <form method="POST" action="$x"> <br><br> Name <br> <input type="text" name="name"> <br><br> Password <br> <input type="password" name="password"> <br><br> <input type="submit" name="submit" value="Send"> </form> </center> form; ?> Quote Link to comment Share on other sites More sharing options...
king arthur Posted June 30, 2007 Share Posted June 30, 2007 Locking a user out after three failed attempts may work. Logging the IP address won't achieve much though. What you ought to do is create a database table that records the username used in the failed attempt, plus the time of the attempt. Insert a new row on every failed attempt. Count up all attempts with the same username in the past hour or however long you want, if there are three or more, disallow access regardless of the password. Delete any rows older than one hour. The reason recording the IP is not much good is, there are brute force password hacking programs out there that can hide themselves behind proxies. So each time they attempt a username/password combination, the IP address appears to be different. If your server can cope with the login page being hit once per second for several hours, using the above method may be good enough to foil these programs. Quote Link to comment Share on other sites More sharing options...
redarrow Posted June 30, 2007 Share Posted June 30, 2007 also add a good captcha on the form so you no there human. Quote Link to comment Share on other sites More sharing options...
rcorlew Posted June 30, 2007 Share Posted June 30, 2007 You could also log the mac address, which is much harder than ip addy to fake, each mac address is unique. You would have to use java script to get though I do beleive, although I have seen it done, just never really tried to o it myself. Quote Link to comment Share on other sites More sharing options...
BrandonE97 Posted July 1, 2007 Author Share Posted July 1, 2007 Thanks guys, you've definently gave me a lot to work on. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.