[SOLVED] Limit to failed login retries

[faulty_by_design]

Hello all

 

I'm building a site where members can login and I would appreciate if anybody can help me with a way to limit the number of retries allowed for a login?

 

What I was thinking is to create a cookie at the login page with a variable set to 0. Then after a failed login, it increments the variable by 1 until after 5 retries the variable reaches 5. My problem is then how to set a time limit until they can try logging in again? Would setting a time limit on the destruction of the cookie be the best way? Or even, is there a better way than using cookies to complete the task seeing as if somebody deletes the cookie it resets anyway? I had thought of a session but then just closing the browser would reset it (am I right?).

[per1os]

After the 5th retry call a function to store the IP etc in a database with the timestamp that is either 5 minutes etc ahead or the exact time of the 5th retry. After a certain amount of time that entry should be deleted. But if the IP is in that db you should not allow them to try it.

 

 

[yzerman]

I would make a table in your database like so:

 

login_attempt

 

Have 2 entries in this table

ip

time

 

then, add a statement to your login function that does both of these:

 

Counts the number of login attempts from that ip within a certain time frame, and add an attempt conditional to them (try more then 5 times in 5 minutes your locked out of the site.)

Inserts the ip and time into the login_attempt table every time he/she hits submit.

 

Locking the account does nothing but make the user register another one, locking the IP prevents them from registering, or using any of the account functions on the site until that 5 minutes is up.

[faulty_by_design]

That sounds great, but now the problem is I have no idea how to accomplish what ye say! I'm not very experienced with PHP. I'm sure I'll be able to find a tutorial on how to get the IP address somewhere from google, and I know how to communicate with mysql, add the info and so on.

 

The problem would be how to count the number of attempted logins?

 

What I am thinking now (please, correct me if I'm wrong!) is:

->Write a program to check if after a failed login, their IP is in the database. If not, then put it in and set column->numAttempts to 1.

->Then reload the login page to try again. If it is another failure, check if the IP is in the database and if it is then check to see what column->numAttempts holds and increase by 1.

->Keep repeating until column->numAttempts reaches 5.

->When the login page loads and it sees the IP that is attempting to login has column->numAttempts=5, it loads a different page saying that login is disabled.

 

That seems to me like it could work and is something like you are suggesting?

 

But, it still leaves me with the problem of how do I delete the record from the database after a set amount of time?

 

Thanks for ye'r help!

[faulty_by_design]

I don't think it's exactly what you guys were suggesting, but I've sorted it (I think!).

 

Thanks!